Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe
-
Size
253KB
-
MD5
04de69c39e4ab507cdb6640e482e8442
-
SHA1
0399275a2bf1ff96545355f9698e3959f69443a5
-
SHA256
55285cb81e0cc074503ad5d8c0ad64646d383c9516122d1713df65a9abb7cd45
-
SHA512
51b267a491cafd99c015a059f5a61d9cc6f2b4669d081f9d9214e3f56f5afba665cbb9cc8f45c6215f96ca6b29ef2c081cba7e7ac127f939c0d149e6e8be18d8
-
SSDEEP
6144:hWOjEO8DKAabFAJH+1IvHAgITwf+gTD3VW/+KQUJ:gOjELDK3C9+1QAq2gDTBUJ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
igfxpm32.exepid process 1804 igfxpm32.exe -
Executes dropped EXE 32 IoCs
Processes:
igfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exepid process 2628 igfxpm32.exe 1804 igfxpm32.exe 2528 igfxpm32.exe 2516 igfxpm32.exe 1952 igfxpm32.exe 2160 igfxpm32.exe 1456 igfxpm32.exe 1224 igfxpm32.exe 2108 igfxpm32.exe 1424 igfxpm32.exe 1792 igfxpm32.exe 1060 igfxpm32.exe 3036 igfxpm32.exe 336 igfxpm32.exe 1612 igfxpm32.exe 1440 igfxpm32.exe 2104 igfxpm32.exe 1920 igfxpm32.exe 1960 igfxpm32.exe 2616 igfxpm32.exe 2644 igfxpm32.exe 2572 igfxpm32.exe 2364 igfxpm32.exe 2368 igfxpm32.exe 2804 igfxpm32.exe 2196 igfxpm32.exe 1040 igfxpm32.exe 1456 igfxpm32.exe 2508 igfxpm32.exe 2916 igfxpm32.exe 1160 igfxpm32.exe 2244 igfxpm32.exe -
Loads dropped DLL 32 IoCs
Processes:
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exepid process 2564 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 2628 igfxpm32.exe 1804 igfxpm32.exe 2528 igfxpm32.exe 2516 igfxpm32.exe 1952 igfxpm32.exe 2160 igfxpm32.exe 1456 igfxpm32.exe 1224 igfxpm32.exe 2108 igfxpm32.exe 1424 igfxpm32.exe 1792 igfxpm32.exe 1060 igfxpm32.exe 3036 igfxpm32.exe 336 igfxpm32.exe 1612 igfxpm32.exe 1440 igfxpm32.exe 2104 igfxpm32.exe 1920 igfxpm32.exe 1960 igfxpm32.exe 2616 igfxpm32.exe 2644 igfxpm32.exe 2572 igfxpm32.exe 2364 igfxpm32.exe 2368 igfxpm32.exe 2804 igfxpm32.exe 2196 igfxpm32.exe 1040 igfxpm32.exe 1456 igfxpm32.exe 2508 igfxpm32.exe 2916 igfxpm32.exe 1160 igfxpm32.exe -
Processes:
resource yara_rule behavioral1/memory/2564-7-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2564-5-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2564-10-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2564-9-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2564-8-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2564-2-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2564-4-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2564-31-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1804-34-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2516-52-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1804-53-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2516-58-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2160-70-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2160-68-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2160-69-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2160-75-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1224-87-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1224-92-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1424-104-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1424-109-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1060-121-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1060-126-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/336-138-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/336-143-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1440-155-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1440-161-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1920-173-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2616-187-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1920-190-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2616-195-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2572-207-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2572-213-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2368-225-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2368-230-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2196-242-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1456-256-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2196-255-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/1456-259-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2916-269-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2244-279-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2916-282-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
igfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exe04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe -
Drops file in System32 directory 49 IoCs
Processes:
igfxpm32.exe04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe -
Suspicious use of SetThreadContext 17 IoCs
Processes:
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription pid process target process PID 2940 set thread context of 2564 2940 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2628 set thread context of 1804 2628 igfxpm32.exe igfxpm32.exe PID 2528 set thread context of 2516 2528 igfxpm32.exe igfxpm32.exe PID 1952 set thread context of 2160 1952 igfxpm32.exe igfxpm32.exe PID 1456 set thread context of 1224 1456 igfxpm32.exe igfxpm32.exe PID 2108 set thread context of 1424 2108 igfxpm32.exe igfxpm32.exe PID 1792 set thread context of 1060 1792 igfxpm32.exe igfxpm32.exe PID 3036 set thread context of 336 3036 igfxpm32.exe igfxpm32.exe PID 1612 set thread context of 1440 1612 igfxpm32.exe igfxpm32.exe PID 2104 set thread context of 1920 2104 igfxpm32.exe igfxpm32.exe PID 1960 set thread context of 2616 1960 igfxpm32.exe igfxpm32.exe PID 2644 set thread context of 2572 2644 igfxpm32.exe igfxpm32.exe PID 2364 set thread context of 2368 2364 igfxpm32.exe igfxpm32.exe PID 2804 set thread context of 2196 2804 igfxpm32.exe igfxpm32.exe PID 1040 set thread context of 1456 1040 igfxpm32.exe igfxpm32.exe PID 2508 set thread context of 2916 2508 igfxpm32.exe igfxpm32.exe PID 1160 set thread context of 2244 1160 igfxpm32.exe igfxpm32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exepid process 2564 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 2564 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 1804 igfxpm32.exe 1804 igfxpm32.exe 2516 igfxpm32.exe 2516 igfxpm32.exe 2160 igfxpm32.exe 2160 igfxpm32.exe 1224 igfxpm32.exe 1224 igfxpm32.exe 1424 igfxpm32.exe 1424 igfxpm32.exe 1060 igfxpm32.exe 1060 igfxpm32.exe 336 igfxpm32.exe 336 igfxpm32.exe 1440 igfxpm32.exe 1440 igfxpm32.exe 1920 igfxpm32.exe 1920 igfxpm32.exe 2616 igfxpm32.exe 2616 igfxpm32.exe 2572 igfxpm32.exe 2572 igfxpm32.exe 2368 igfxpm32.exe 2368 igfxpm32.exe 2196 igfxpm32.exe 2196 igfxpm32.exe 1456 igfxpm32.exe 1456 igfxpm32.exe 2916 igfxpm32.exe 2916 igfxpm32.exe 2244 igfxpm32.exe 2244 igfxpm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription pid process target process PID 2940 wrote to memory of 2564 2940 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2940 wrote to memory of 2564 2940 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2940 wrote to memory of 2564 2940 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2940 wrote to memory of 2564 2940 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2940 wrote to memory of 2564 2940 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2940 wrote to memory of 2564 2940 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2940 wrote to memory of 2564 2940 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2564 wrote to memory of 2628 2564 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe igfxpm32.exe PID 2564 wrote to memory of 2628 2564 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe igfxpm32.exe PID 2564 wrote to memory of 2628 2564 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe igfxpm32.exe PID 2564 wrote to memory of 2628 2564 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe igfxpm32.exe PID 2628 wrote to memory of 1804 2628 igfxpm32.exe igfxpm32.exe PID 2628 wrote to memory of 1804 2628 igfxpm32.exe igfxpm32.exe PID 2628 wrote to memory of 1804 2628 igfxpm32.exe igfxpm32.exe PID 2628 wrote to memory of 1804 2628 igfxpm32.exe igfxpm32.exe PID 2628 wrote to memory of 1804 2628 igfxpm32.exe igfxpm32.exe PID 2628 wrote to memory of 1804 2628 igfxpm32.exe igfxpm32.exe PID 2628 wrote to memory of 1804 2628 igfxpm32.exe igfxpm32.exe PID 1804 wrote to memory of 2528 1804 igfxpm32.exe igfxpm32.exe PID 1804 wrote to memory of 2528 1804 igfxpm32.exe igfxpm32.exe PID 1804 wrote to memory of 2528 1804 igfxpm32.exe igfxpm32.exe PID 1804 wrote to memory of 2528 1804 igfxpm32.exe igfxpm32.exe PID 2528 wrote to memory of 2516 2528 igfxpm32.exe igfxpm32.exe PID 2528 wrote to memory of 2516 2528 igfxpm32.exe igfxpm32.exe PID 2528 wrote to memory of 2516 2528 igfxpm32.exe igfxpm32.exe PID 2528 wrote to memory of 2516 2528 igfxpm32.exe igfxpm32.exe PID 2528 wrote to memory of 2516 2528 igfxpm32.exe igfxpm32.exe PID 2528 wrote to memory of 2516 2528 igfxpm32.exe igfxpm32.exe PID 2528 wrote to memory of 2516 2528 igfxpm32.exe igfxpm32.exe PID 2516 wrote to memory of 1952 2516 igfxpm32.exe igfxpm32.exe PID 2516 wrote to memory of 1952 2516 igfxpm32.exe igfxpm32.exe PID 2516 wrote to memory of 1952 2516 igfxpm32.exe igfxpm32.exe PID 2516 wrote to memory of 1952 2516 igfxpm32.exe igfxpm32.exe PID 1952 wrote to memory of 2160 1952 igfxpm32.exe igfxpm32.exe PID 1952 wrote to memory of 2160 1952 igfxpm32.exe igfxpm32.exe PID 1952 wrote to memory of 2160 1952 igfxpm32.exe igfxpm32.exe PID 1952 wrote to memory of 2160 1952 igfxpm32.exe igfxpm32.exe PID 1952 wrote to memory of 2160 1952 igfxpm32.exe igfxpm32.exe PID 1952 wrote to memory of 2160 1952 igfxpm32.exe igfxpm32.exe PID 1952 wrote to memory of 2160 1952 igfxpm32.exe igfxpm32.exe PID 2160 wrote to memory of 1456 2160 igfxpm32.exe igfxpm32.exe PID 2160 wrote to memory of 1456 2160 igfxpm32.exe igfxpm32.exe PID 2160 wrote to memory of 1456 2160 igfxpm32.exe igfxpm32.exe PID 2160 wrote to memory of 1456 2160 igfxpm32.exe igfxpm32.exe PID 1456 wrote to memory of 1224 1456 igfxpm32.exe igfxpm32.exe PID 1456 wrote to memory of 1224 1456 igfxpm32.exe igfxpm32.exe PID 1456 wrote to memory of 1224 1456 igfxpm32.exe igfxpm32.exe PID 1456 wrote to memory of 1224 1456 igfxpm32.exe igfxpm32.exe PID 1456 wrote to memory of 1224 1456 igfxpm32.exe igfxpm32.exe PID 1456 wrote to memory of 1224 1456 igfxpm32.exe igfxpm32.exe PID 1456 wrote to memory of 1224 1456 igfxpm32.exe igfxpm32.exe PID 1224 wrote to memory of 2108 1224 igfxpm32.exe igfxpm32.exe PID 1224 wrote to memory of 2108 1224 igfxpm32.exe igfxpm32.exe PID 1224 wrote to memory of 2108 1224 igfxpm32.exe igfxpm32.exe PID 1224 wrote to memory of 2108 1224 igfxpm32.exe igfxpm32.exe PID 2108 wrote to memory of 1424 2108 igfxpm32.exe igfxpm32.exe PID 2108 wrote to memory of 1424 2108 igfxpm32.exe igfxpm32.exe PID 2108 wrote to memory of 1424 2108 igfxpm32.exe igfxpm32.exe PID 2108 wrote to memory of 1424 2108 igfxpm32.exe igfxpm32.exe PID 2108 wrote to memory of 1424 2108 igfxpm32.exe igfxpm32.exe PID 2108 wrote to memory of 1424 2108 igfxpm32.exe igfxpm32.exe PID 2108 wrote to memory of 1424 2108 igfxpm32.exe igfxpm32.exe PID 1424 wrote to memory of 1792 1424 igfxpm32.exe igfxpm32.exe PID 1424 wrote to memory of 1792 1424 igfxpm32.exe igfxpm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Users\Admin\AppData\Local\Temp\04DE69~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Users\Admin\AppData\Local\Temp\04DE69~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1792 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1060 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3036 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:336 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1612 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1440 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2104 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1920 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1960 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2616 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2644 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2572 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2364 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2368 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2804 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2196 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1040 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1456 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2508 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2916 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1160 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
253KB
MD504de69c39e4ab507cdb6640e482e8442
SHA10399275a2bf1ff96545355f9698e3959f69443a5
SHA25655285cb81e0cc074503ad5d8c0ad64646d383c9516122d1713df65a9abb7cd45
SHA51251b267a491cafd99c015a059f5a61d9cc6f2b4669d081f9d9214e3f56f5afba665cbb9cc8f45c6215f96ca6b29ef2c081cba7e7ac127f939c0d149e6e8be18d8