Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe
-
Size
151KB
-
MD5
1d3209d60e33ec86ddcf0cd569132c99
-
SHA1
699b70b9d1b5f6cfed21f9cc3e3361f8f00a2292
-
SHA256
c82e1dde36a2a75cbc86b475f072ecff05f77fd874c89d059c85836ff539fd06
-
SHA512
1f393be5025d829bf4404453ecec1823749dd06d3380ea400d564a38cb291f6b2c70326f3c44d9813c4c0aa9315a018438844983c36555e6585586b1a757537b
-
SSDEEP
3072:XpTRBSXcKETiLb1PnX+3xDmm+jV5JiOxFBWESCGRtexmqQY9:XpeXcKEwZPX+3xqmCVbisEEwRw3
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
wmpcfg32.exepid process 2576 wmpcfg32.exe -
Executes dropped EXE 28 IoCs
Processes:
wmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exepid process 2020 wmpcfg32.exe 2576 wmpcfg32.exe 2480 wmpcfg32.exe 2968 wmpcfg32.exe 2924 wmpcfg32.exe 2984 wmpcfg32.exe 264 wmpcfg32.exe 2788 wmpcfg32.exe 1680 wmpcfg32.exe 1296 wmpcfg32.exe 2204 wmpcfg32.exe 1908 wmpcfg32.exe 1212 wmpcfg32.exe 608 wmpcfg32.exe 3052 wmpcfg32.exe 2372 wmpcfg32.exe 1308 wmpcfg32.exe 1580 wmpcfg32.exe 3064 wmpcfg32.exe 2680 wmpcfg32.exe 2660 wmpcfg32.exe 2632 wmpcfg32.exe 2232 wmpcfg32.exe 2964 wmpcfg32.exe 3004 wmpcfg32.exe 2792 wmpcfg32.exe 2504 wmpcfg32.exe 768 wmpcfg32.exe -
Loads dropped DLL 56 IoCs
Processes:
1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exepid process 1672 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1672 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 2020 wmpcfg32.exe 2020 wmpcfg32.exe 2576 wmpcfg32.exe 2576 wmpcfg32.exe 2480 wmpcfg32.exe 2480 wmpcfg32.exe 2968 wmpcfg32.exe 2968 wmpcfg32.exe 2924 wmpcfg32.exe 2924 wmpcfg32.exe 2984 wmpcfg32.exe 2984 wmpcfg32.exe 264 wmpcfg32.exe 264 wmpcfg32.exe 2788 wmpcfg32.exe 2788 wmpcfg32.exe 1680 wmpcfg32.exe 1680 wmpcfg32.exe 1296 wmpcfg32.exe 1296 wmpcfg32.exe 2204 wmpcfg32.exe 2204 wmpcfg32.exe 1908 wmpcfg32.exe 1908 wmpcfg32.exe 1212 wmpcfg32.exe 1212 wmpcfg32.exe 608 wmpcfg32.exe 608 wmpcfg32.exe 3052 wmpcfg32.exe 3052 wmpcfg32.exe 2372 wmpcfg32.exe 2372 wmpcfg32.exe 1308 wmpcfg32.exe 1308 wmpcfg32.exe 1580 wmpcfg32.exe 1580 wmpcfg32.exe 3064 wmpcfg32.exe 3064 wmpcfg32.exe 2680 wmpcfg32.exe 2680 wmpcfg32.exe 2660 wmpcfg32.exe 2660 wmpcfg32.exe 2632 wmpcfg32.exe 2632 wmpcfg32.exe 2232 wmpcfg32.exe 2232 wmpcfg32.exe 2964 wmpcfg32.exe 2964 wmpcfg32.exe 3004 wmpcfg32.exe 3004 wmpcfg32.exe 2792 wmpcfg32.exe 2792 wmpcfg32.exe 2504 wmpcfg32.exe 2504 wmpcfg32.exe -
Processes:
resource yara_rule behavioral1/memory/1672-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1672-4-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1672-3-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1672-6-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1672-7-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1672-8-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1672-9-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1672-22-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2576-33-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2576-34-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2576-35-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2576-41-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2968-53-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2968-60-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2984-78-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2788-90-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2788-98-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1296-110-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1296-111-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1296-117-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1908-128-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1908-136-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/608-148-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/608-155-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2372-167-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2372-175-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1580-187-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1580-194-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2680-203-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2680-207-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2632-216-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2632-220-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2964-229-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2964-233-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2792-242-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2792-246-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/768-255-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpcfg32.exewmpcfg32.exewmpcfg32.exe1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcfg32.exe -
Drops file in System32 directory 43 IoCs
Processes:
wmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exe1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\ wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File created C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe File opened for modification C:\Windows\SysWOW64\wmpcfg32.exe wmpcfg32.exe -
Suspicious use of SetThreadContext 15 IoCs
Processes:
1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exedescription pid process target process PID 2552 set thread context of 1672 2552 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe PID 2020 set thread context of 2576 2020 wmpcfg32.exe wmpcfg32.exe PID 2480 set thread context of 2968 2480 wmpcfg32.exe wmpcfg32.exe PID 2924 set thread context of 2984 2924 wmpcfg32.exe wmpcfg32.exe PID 264 set thread context of 2788 264 wmpcfg32.exe wmpcfg32.exe PID 1680 set thread context of 1296 1680 wmpcfg32.exe wmpcfg32.exe PID 2204 set thread context of 1908 2204 wmpcfg32.exe wmpcfg32.exe PID 1212 set thread context of 608 1212 wmpcfg32.exe wmpcfg32.exe PID 3052 set thread context of 2372 3052 wmpcfg32.exe wmpcfg32.exe PID 1308 set thread context of 1580 1308 wmpcfg32.exe wmpcfg32.exe PID 3064 set thread context of 2680 3064 wmpcfg32.exe wmpcfg32.exe PID 2660 set thread context of 2632 2660 wmpcfg32.exe wmpcfg32.exe PID 2232 set thread context of 2964 2232 wmpcfg32.exe wmpcfg32.exe PID 3004 set thread context of 2792 3004 wmpcfg32.exe wmpcfg32.exe PID 2504 set thread context of 768 2504 wmpcfg32.exe wmpcfg32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exepid process 1672 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1672 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 2576 wmpcfg32.exe 2576 wmpcfg32.exe 2968 wmpcfg32.exe 2968 wmpcfg32.exe 2984 wmpcfg32.exe 2984 wmpcfg32.exe 2788 wmpcfg32.exe 2788 wmpcfg32.exe 1296 wmpcfg32.exe 1296 wmpcfg32.exe 1908 wmpcfg32.exe 1908 wmpcfg32.exe 608 wmpcfg32.exe 608 wmpcfg32.exe 2372 wmpcfg32.exe 2372 wmpcfg32.exe 1580 wmpcfg32.exe 1580 wmpcfg32.exe 2680 wmpcfg32.exe 2680 wmpcfg32.exe 2632 wmpcfg32.exe 2632 wmpcfg32.exe 2964 wmpcfg32.exe 2964 wmpcfg32.exe 2792 wmpcfg32.exe 2792 wmpcfg32.exe 768 wmpcfg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exewmpcfg32.exedescription pid process target process PID 2552 wrote to memory of 1672 2552 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe PID 2552 wrote to memory of 1672 2552 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe PID 2552 wrote to memory of 1672 2552 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe PID 2552 wrote to memory of 1672 2552 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe PID 2552 wrote to memory of 1672 2552 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe PID 2552 wrote to memory of 1672 2552 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe PID 2552 wrote to memory of 1672 2552 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe PID 1672 wrote to memory of 2020 1672 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe wmpcfg32.exe PID 1672 wrote to memory of 2020 1672 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe wmpcfg32.exe PID 1672 wrote to memory of 2020 1672 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe wmpcfg32.exe PID 1672 wrote to memory of 2020 1672 1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe wmpcfg32.exe PID 2020 wrote to memory of 2576 2020 wmpcfg32.exe wmpcfg32.exe PID 2020 wrote to memory of 2576 2020 wmpcfg32.exe wmpcfg32.exe PID 2020 wrote to memory of 2576 2020 wmpcfg32.exe wmpcfg32.exe PID 2020 wrote to memory of 2576 2020 wmpcfg32.exe wmpcfg32.exe PID 2020 wrote to memory of 2576 2020 wmpcfg32.exe wmpcfg32.exe PID 2020 wrote to memory of 2576 2020 wmpcfg32.exe wmpcfg32.exe PID 2020 wrote to memory of 2576 2020 wmpcfg32.exe wmpcfg32.exe PID 2576 wrote to memory of 2480 2576 wmpcfg32.exe wmpcfg32.exe PID 2576 wrote to memory of 2480 2576 wmpcfg32.exe wmpcfg32.exe PID 2576 wrote to memory of 2480 2576 wmpcfg32.exe wmpcfg32.exe PID 2576 wrote to memory of 2480 2576 wmpcfg32.exe wmpcfg32.exe PID 2480 wrote to memory of 2968 2480 wmpcfg32.exe wmpcfg32.exe PID 2480 wrote to memory of 2968 2480 wmpcfg32.exe wmpcfg32.exe PID 2480 wrote to memory of 2968 2480 wmpcfg32.exe wmpcfg32.exe PID 2480 wrote to memory of 2968 2480 wmpcfg32.exe wmpcfg32.exe PID 2480 wrote to memory of 2968 2480 wmpcfg32.exe wmpcfg32.exe PID 2480 wrote to memory of 2968 2480 wmpcfg32.exe wmpcfg32.exe PID 2480 wrote to memory of 2968 2480 wmpcfg32.exe wmpcfg32.exe PID 2968 wrote to memory of 2924 2968 wmpcfg32.exe wmpcfg32.exe PID 2968 wrote to memory of 2924 2968 wmpcfg32.exe wmpcfg32.exe PID 2968 wrote to memory of 2924 2968 wmpcfg32.exe wmpcfg32.exe PID 2968 wrote to memory of 2924 2968 wmpcfg32.exe wmpcfg32.exe PID 2924 wrote to memory of 2984 2924 wmpcfg32.exe wmpcfg32.exe PID 2924 wrote to memory of 2984 2924 wmpcfg32.exe wmpcfg32.exe PID 2924 wrote to memory of 2984 2924 wmpcfg32.exe wmpcfg32.exe PID 2924 wrote to memory of 2984 2924 wmpcfg32.exe wmpcfg32.exe PID 2924 wrote to memory of 2984 2924 wmpcfg32.exe wmpcfg32.exe PID 2924 wrote to memory of 2984 2924 wmpcfg32.exe wmpcfg32.exe PID 2924 wrote to memory of 2984 2924 wmpcfg32.exe wmpcfg32.exe PID 2984 wrote to memory of 264 2984 wmpcfg32.exe wmpcfg32.exe PID 2984 wrote to memory of 264 2984 wmpcfg32.exe wmpcfg32.exe PID 2984 wrote to memory of 264 2984 wmpcfg32.exe wmpcfg32.exe PID 2984 wrote to memory of 264 2984 wmpcfg32.exe wmpcfg32.exe PID 264 wrote to memory of 2788 264 wmpcfg32.exe wmpcfg32.exe PID 264 wrote to memory of 2788 264 wmpcfg32.exe wmpcfg32.exe PID 264 wrote to memory of 2788 264 wmpcfg32.exe wmpcfg32.exe PID 264 wrote to memory of 2788 264 wmpcfg32.exe wmpcfg32.exe PID 264 wrote to memory of 2788 264 wmpcfg32.exe wmpcfg32.exe PID 264 wrote to memory of 2788 264 wmpcfg32.exe wmpcfg32.exe PID 264 wrote to memory of 2788 264 wmpcfg32.exe wmpcfg32.exe PID 2788 wrote to memory of 1680 2788 wmpcfg32.exe wmpcfg32.exe PID 2788 wrote to memory of 1680 2788 wmpcfg32.exe wmpcfg32.exe PID 2788 wrote to memory of 1680 2788 wmpcfg32.exe wmpcfg32.exe PID 2788 wrote to memory of 1680 2788 wmpcfg32.exe wmpcfg32.exe PID 1680 wrote to memory of 1296 1680 wmpcfg32.exe wmpcfg32.exe PID 1680 wrote to memory of 1296 1680 wmpcfg32.exe wmpcfg32.exe PID 1680 wrote to memory of 1296 1680 wmpcfg32.exe wmpcfg32.exe PID 1680 wrote to memory of 1296 1680 wmpcfg32.exe wmpcfg32.exe PID 1680 wrote to memory of 1296 1680 wmpcfg32.exe wmpcfg32.exe PID 1680 wrote to memory of 1296 1680 wmpcfg32.exe wmpcfg32.exe PID 1680 wrote to memory of 1296 1680 wmpcfg32.exe wmpcfg32.exe PID 1296 wrote to memory of 2204 1296 wmpcfg32.exe wmpcfg32.exe PID 1296 wrote to memory of 2204 1296 wmpcfg32.exe wmpcfg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d3209d60e33ec86ddcf0cd569132c99_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Users\Admin\AppData\Local\Temp\1D3209~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Users\Admin\AppData\Local\Temp\1D3209~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmpcfg32.exe"C:\Windows\system32\wmpcfg32.exe" C:\Windows\SysWOW64\wmpcfg32.exe30⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\SysWOW64\wmpcfg32.exeFilesize
151KB
MD51d3209d60e33ec86ddcf0cd569132c99
SHA1699b70b9d1b5f6cfed21f9cc3e3361f8f00a2292
SHA256c82e1dde36a2a75cbc86b475f072ecff05f77fd874c89d059c85836ff539fd06
SHA5121f393be5025d829bf4404453ecec1823749dd06d3380ea400d564a38cb291f6b2c70326f3c44d9813c4c0aa9315a018438844983c36555e6585586b1a757537b
-
memory/608-155-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/608-148-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/768-255-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1296-117-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1296-111-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1296-110-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1580-194-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1580-187-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-8-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-4-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-2-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-3-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-0-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-22-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-6-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-7-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1672-9-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1908-128-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1908-136-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2372-175-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2372-167-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2576-35-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2576-41-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2576-33-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2576-34-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2632-216-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2632-220-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2680-203-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2680-207-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2788-90-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2788-98-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2792-246-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2792-242-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2964-229-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2964-233-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2968-53-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2968-60-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2984-78-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB