Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 20:29
Static task
static1
Behavioral task
behavioral1
Sample
f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe
-
Size
174KB
-
MD5
f8ae3d04134db63bf814f3165944bdef
-
SHA1
c702c34f97cc79b37c61add307997ab9250dd8f3
-
SHA256
c563f1f45275a004ab9c038692b371b7369ffa0a98fb689b2a8a5ce0d6d51701
-
SHA512
2f6d2abf50847f65a505754d67946cb13ad3fcafd00563569b12f5904169942a934fea809681f345641dca29aa98a141382a23af48d12bdb26b27e94af3c88ac
-
SSDEEP
3072:q6UHMux55t76czZuVf6mm2fWTFphvIPKOcmZN8IjSPhZSeaOjA9/OX:BuT76KGFm28hvIPcmN5IhZSJ9/OX
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation igfxwd32.exe -
Deletes itself 1 IoCs
pid Process 1348 igfxwd32.exe -
Executes dropped EXE 26 IoCs
pid Process 768 igfxwd32.exe 1348 igfxwd32.exe 2336 igfxwd32.exe 1844 igfxwd32.exe 5016 igfxwd32.exe 4944 igfxwd32.exe 4280 igfxwd32.exe 4976 igfxwd32.exe 4084 igfxwd32.exe 4508 igfxwd32.exe 4480 igfxwd32.exe 4288 igfxwd32.exe 4376 igfxwd32.exe 4876 igfxwd32.exe 380 igfxwd32.exe 2268 igfxwd32.exe 4972 igfxwd32.exe 4332 igfxwd32.exe 3748 igfxwd32.exe 3832 igfxwd32.exe 3996 igfxwd32.exe 1660 igfxwd32.exe 2972 igfxwd32.exe 5104 igfxwd32.exe 2848 igfxwd32.exe 4832 igfxwd32.exe -
resource yara_rule behavioral2/memory/1552-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1552-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1552-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1552-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1552-37-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1348-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1844-52-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1844-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4944-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4944-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4976-72-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4508-78-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4508-80-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4288-88-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4288-89-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4876-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2268-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2268-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4332-114-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4332-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3832-123-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3832-129-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1660-134-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1660-139-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5104-144-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5104-149-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4832-155-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 28 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 2268 set thread context of 1552 2268 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 85 PID 768 set thread context of 1348 768 igfxwd32.exe 87 PID 2336 set thread context of 1844 2336 igfxwd32.exe 91 PID 5016 set thread context of 4944 5016 igfxwd32.exe 93 PID 4280 set thread context of 4976 4280 igfxwd32.exe 96 PID 4084 set thread context of 4508 4084 igfxwd32.exe 98 PID 4480 set thread context of 4288 4480 igfxwd32.exe 100 PID 4376 set thread context of 4876 4376 igfxwd32.exe 102 PID 380 set thread context of 2268 380 igfxwd32.exe 104 PID 4972 set thread context of 4332 4972 igfxwd32.exe 106 PID 3748 set thread context of 3832 3748 igfxwd32.exe 108 PID 3996 set thread context of 1660 3996 igfxwd32.exe 110 PID 2972 set thread context of 5104 2972 igfxwd32.exe 112 PID 2848 set thread context of 4832 2848 igfxwd32.exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1552 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 1552 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 1552 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 1552 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 1348 igfxwd32.exe 1348 igfxwd32.exe 1348 igfxwd32.exe 1348 igfxwd32.exe 1844 igfxwd32.exe 1844 igfxwd32.exe 1844 igfxwd32.exe 1844 igfxwd32.exe 4944 igfxwd32.exe 4944 igfxwd32.exe 4944 igfxwd32.exe 4944 igfxwd32.exe 4976 igfxwd32.exe 4976 igfxwd32.exe 4976 igfxwd32.exe 4976 igfxwd32.exe 4508 igfxwd32.exe 4508 igfxwd32.exe 4508 igfxwd32.exe 4508 igfxwd32.exe 4288 igfxwd32.exe 4288 igfxwd32.exe 4288 igfxwd32.exe 4288 igfxwd32.exe 4876 igfxwd32.exe 4876 igfxwd32.exe 4876 igfxwd32.exe 4876 igfxwd32.exe 2268 igfxwd32.exe 2268 igfxwd32.exe 2268 igfxwd32.exe 2268 igfxwd32.exe 4332 igfxwd32.exe 4332 igfxwd32.exe 4332 igfxwd32.exe 4332 igfxwd32.exe 3832 igfxwd32.exe 3832 igfxwd32.exe 3832 igfxwd32.exe 3832 igfxwd32.exe 1660 igfxwd32.exe 1660 igfxwd32.exe 1660 igfxwd32.exe 1660 igfxwd32.exe 5104 igfxwd32.exe 5104 igfxwd32.exe 5104 igfxwd32.exe 5104 igfxwd32.exe 4832 igfxwd32.exe 4832 igfxwd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 1552 2268 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 85 PID 2268 wrote to memory of 1552 2268 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 85 PID 2268 wrote to memory of 1552 2268 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 85 PID 2268 wrote to memory of 1552 2268 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 85 PID 2268 wrote to memory of 1552 2268 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 85 PID 2268 wrote to memory of 1552 2268 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 85 PID 2268 wrote to memory of 1552 2268 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 85 PID 1552 wrote to memory of 768 1552 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 86 PID 1552 wrote to memory of 768 1552 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 86 PID 1552 wrote to memory of 768 1552 f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe 86 PID 768 wrote to memory of 1348 768 igfxwd32.exe 87 PID 768 wrote to memory of 1348 768 igfxwd32.exe 87 PID 768 wrote to memory of 1348 768 igfxwd32.exe 87 PID 768 wrote to memory of 1348 768 igfxwd32.exe 87 PID 768 wrote to memory of 1348 768 igfxwd32.exe 87 PID 768 wrote to memory of 1348 768 igfxwd32.exe 87 PID 768 wrote to memory of 1348 768 igfxwd32.exe 87 PID 1348 wrote to memory of 2336 1348 igfxwd32.exe 88 PID 1348 wrote to memory of 2336 1348 igfxwd32.exe 88 PID 1348 wrote to memory of 2336 1348 igfxwd32.exe 88 PID 2336 wrote to memory of 1844 2336 igfxwd32.exe 91 PID 2336 wrote to memory of 1844 2336 igfxwd32.exe 91 PID 2336 wrote to memory of 1844 2336 igfxwd32.exe 91 PID 2336 wrote to memory of 1844 2336 igfxwd32.exe 91 PID 2336 wrote to memory of 1844 2336 igfxwd32.exe 91 PID 2336 wrote to memory of 1844 2336 igfxwd32.exe 91 PID 2336 wrote to memory of 1844 2336 igfxwd32.exe 91 PID 1844 wrote to memory of 5016 1844 igfxwd32.exe 92 PID 1844 wrote to memory of 5016 1844 igfxwd32.exe 92 PID 1844 wrote to memory of 5016 1844 igfxwd32.exe 92 PID 5016 wrote to memory of 4944 5016 igfxwd32.exe 93 PID 5016 wrote to memory of 4944 5016 igfxwd32.exe 93 PID 5016 wrote to memory of 4944 5016 igfxwd32.exe 93 PID 5016 wrote to memory of 4944 5016 igfxwd32.exe 93 PID 5016 wrote to memory of 4944 5016 igfxwd32.exe 93 PID 5016 wrote to memory of 4944 5016 igfxwd32.exe 93 PID 5016 wrote to memory of 4944 5016 igfxwd32.exe 93 PID 4944 wrote to memory of 4280 4944 igfxwd32.exe 95 PID 4944 wrote to memory of 4280 4944 igfxwd32.exe 95 PID 4944 wrote to memory of 4280 4944 igfxwd32.exe 95 PID 4280 wrote to memory of 4976 4280 igfxwd32.exe 96 PID 4280 wrote to memory of 4976 4280 igfxwd32.exe 96 PID 4280 wrote to memory of 4976 4280 igfxwd32.exe 96 PID 4280 wrote to memory of 4976 4280 igfxwd32.exe 96 PID 4280 wrote to memory of 4976 4280 igfxwd32.exe 96 PID 4280 wrote to memory of 4976 4280 igfxwd32.exe 96 PID 4280 wrote to memory of 4976 4280 igfxwd32.exe 96 PID 4976 wrote to memory of 4084 4976 igfxwd32.exe 97 PID 4976 wrote to memory of 4084 4976 igfxwd32.exe 97 PID 4976 wrote to memory of 4084 4976 igfxwd32.exe 97 PID 4084 wrote to memory of 4508 4084 igfxwd32.exe 98 PID 4084 wrote to memory of 4508 4084 igfxwd32.exe 98 PID 4084 wrote to memory of 4508 4084 igfxwd32.exe 98 PID 4084 wrote to memory of 4508 4084 igfxwd32.exe 98 PID 4084 wrote to memory of 4508 4084 igfxwd32.exe 98 PID 4084 wrote to memory of 4508 4084 igfxwd32.exe 98 PID 4084 wrote to memory of 4508 4084 igfxwd32.exe 98 PID 4508 wrote to memory of 4480 4508 igfxwd32.exe 99 PID 4508 wrote to memory of 4480 4508 igfxwd32.exe 99 PID 4508 wrote to memory of 4480 4508 igfxwd32.exe 99 PID 4480 wrote to memory of 4288 4480 igfxwd32.exe 100 PID 4480 wrote to memory of 4288 4480 igfxwd32.exe 100 PID 4480 wrote to memory of 4288 4480 igfxwd32.exe 100 PID 4480 wrote to memory of 4288 4480 igfxwd32.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8ae3d04134db63bf814f3165944bdef_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\F8AE3D~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\F8AE3D~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4288 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4376 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:380 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4972 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4332 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3748 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3832 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3996 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1660 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2972 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5104 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2848 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe28⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5f8ae3d04134db63bf814f3165944bdef
SHA1c702c34f97cc79b37c61add307997ab9250dd8f3
SHA256c563f1f45275a004ab9c038692b371b7369ffa0a98fb689b2a8a5ce0d6d51701
SHA5122f6d2abf50847f65a505754d67946cb13ad3fcafd00563569b12f5904169942a934fea809681f345641dca29aa98a141382a23af48d12bdb26b27e94af3c88ac