Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe
-
Size
253KB
-
MD5
04de69c39e4ab507cdb6640e482e8442
-
SHA1
0399275a2bf1ff96545355f9698e3959f69443a5
-
SHA256
55285cb81e0cc074503ad5d8c0ad64646d383c9516122d1713df65a9abb7cd45
-
SHA512
51b267a491cafd99c015a059f5a61d9cc6f2b4669d081f9d9214e3f56f5afba665cbb9cc8f45c6215f96ca6b29ef2c081cba7e7ac127f939c0d149e6e8be18d8
-
SSDEEP
6144:hWOjEO8DKAabFAJH+1IvHAgITwf+gTD3VW/+KQUJ:gOjELDK3C9+1QAq2gDTBUJ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
igfxpm32.exe04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxpm32.exe -
Deletes itself 1 IoCs
Processes:
igfxpm32.exepid process 1516 igfxpm32.exe -
Executes dropped EXE 30 IoCs
Processes:
igfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exepid process 3080 igfxpm32.exe 1516 igfxpm32.exe 1704 igfxpm32.exe 2064 igfxpm32.exe 2364 igfxpm32.exe 3648 igfxpm32.exe 4156 igfxpm32.exe 4524 igfxpm32.exe 2876 igfxpm32.exe 4148 igfxpm32.exe 4268 igfxpm32.exe 4808 igfxpm32.exe 2592 igfxpm32.exe 3128 igfxpm32.exe 1984 igfxpm32.exe 2484 igfxpm32.exe 1576 igfxpm32.exe 2060 igfxpm32.exe 4460 igfxpm32.exe 4448 igfxpm32.exe 1616 igfxpm32.exe 4092 igfxpm32.exe 4388 igfxpm32.exe 1640 igfxpm32.exe 2404 igfxpm32.exe 1308 igfxpm32.exe 3176 igfxpm32.exe 1472 igfxpm32.exe 3548 igfxpm32.exe 4884 igfxpm32.exe -
Processes:
resource yara_rule behavioral2/memory/1848-0-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1848-2-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1848-4-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1848-3-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1516-43-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1848-44-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1516-52-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/2064-53-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1516-54-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/2064-61-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4524-68-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/3648-69-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4524-72-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4148-76-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4148-77-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4148-83-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4808-88-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/3128-93-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/3128-98-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/2484-103-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/2484-107-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/2060-117-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4448-121-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4092-127-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4092-135-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1640-143-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1308-151-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4884-158-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1472-161-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpm32.exe -
Drops file in System32 directory 48 IoCs
Processes:
igfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exe04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription ioc process File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File opened for modification C:\Windows\SysWOW64\igfxpm32.exe igfxpm32.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe File created C:\Windows\SysWOW64\igfxpm32.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpm32.exe -
Suspicious use of SetThreadContext 16 IoCs
Processes:
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription pid process target process PID 2996 set thread context of 1848 2996 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 3080 set thread context of 1516 3080 igfxpm32.exe igfxpm32.exe PID 1704 set thread context of 2064 1704 igfxpm32.exe igfxpm32.exe PID 2364 set thread context of 3648 2364 igfxpm32.exe igfxpm32.exe PID 4156 set thread context of 4524 4156 igfxpm32.exe igfxpm32.exe PID 2876 set thread context of 4148 2876 igfxpm32.exe igfxpm32.exe PID 4268 set thread context of 4808 4268 igfxpm32.exe igfxpm32.exe PID 2592 set thread context of 3128 2592 igfxpm32.exe igfxpm32.exe PID 1984 set thread context of 2484 1984 igfxpm32.exe igfxpm32.exe PID 1576 set thread context of 2060 1576 igfxpm32.exe igfxpm32.exe PID 4460 set thread context of 4448 4460 igfxpm32.exe igfxpm32.exe PID 1616 set thread context of 4092 1616 igfxpm32.exe igfxpm32.exe PID 4388 set thread context of 1640 4388 igfxpm32.exe igfxpm32.exe PID 2404 set thread context of 1308 2404 igfxpm32.exe igfxpm32.exe PID 3176 set thread context of 1472 3176 igfxpm32.exe igfxpm32.exe PID 3548 set thread context of 4884 3548 igfxpm32.exe igfxpm32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
Processes:
igfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exe04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpm32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exepid process 1848 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 1848 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 1848 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 1848 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 1516 igfxpm32.exe 1516 igfxpm32.exe 1516 igfxpm32.exe 1516 igfxpm32.exe 2064 igfxpm32.exe 2064 igfxpm32.exe 2064 igfxpm32.exe 2064 igfxpm32.exe 3648 igfxpm32.exe 3648 igfxpm32.exe 3648 igfxpm32.exe 3648 igfxpm32.exe 4524 igfxpm32.exe 4524 igfxpm32.exe 4524 igfxpm32.exe 4524 igfxpm32.exe 4148 igfxpm32.exe 4148 igfxpm32.exe 4148 igfxpm32.exe 4148 igfxpm32.exe 4808 igfxpm32.exe 4808 igfxpm32.exe 4808 igfxpm32.exe 4808 igfxpm32.exe 3128 igfxpm32.exe 3128 igfxpm32.exe 3128 igfxpm32.exe 3128 igfxpm32.exe 2484 igfxpm32.exe 2484 igfxpm32.exe 2484 igfxpm32.exe 2484 igfxpm32.exe 2060 igfxpm32.exe 2060 igfxpm32.exe 2060 igfxpm32.exe 2060 igfxpm32.exe 4448 igfxpm32.exe 4448 igfxpm32.exe 4448 igfxpm32.exe 4448 igfxpm32.exe 4092 igfxpm32.exe 4092 igfxpm32.exe 4092 igfxpm32.exe 4092 igfxpm32.exe 1640 igfxpm32.exe 1640 igfxpm32.exe 1640 igfxpm32.exe 1640 igfxpm32.exe 1308 igfxpm32.exe 1308 igfxpm32.exe 1308 igfxpm32.exe 1308 igfxpm32.exe 1472 igfxpm32.exe 1472 igfxpm32.exe 1472 igfxpm32.exe 1472 igfxpm32.exe 4884 igfxpm32.exe 4884 igfxpm32.exe 4884 igfxpm32.exe 4884 igfxpm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exeigfxpm32.exedescription pid process target process PID 2996 wrote to memory of 1848 2996 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2996 wrote to memory of 1848 2996 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2996 wrote to memory of 1848 2996 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2996 wrote to memory of 1848 2996 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2996 wrote to memory of 1848 2996 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2996 wrote to memory of 1848 2996 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 2996 wrote to memory of 1848 2996 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe PID 1848 wrote to memory of 3080 1848 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe igfxpm32.exe PID 1848 wrote to memory of 3080 1848 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe igfxpm32.exe PID 1848 wrote to memory of 3080 1848 04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe igfxpm32.exe PID 3080 wrote to memory of 1516 3080 igfxpm32.exe igfxpm32.exe PID 3080 wrote to memory of 1516 3080 igfxpm32.exe igfxpm32.exe PID 3080 wrote to memory of 1516 3080 igfxpm32.exe igfxpm32.exe PID 3080 wrote to memory of 1516 3080 igfxpm32.exe igfxpm32.exe PID 3080 wrote to memory of 1516 3080 igfxpm32.exe igfxpm32.exe PID 3080 wrote to memory of 1516 3080 igfxpm32.exe igfxpm32.exe PID 3080 wrote to memory of 1516 3080 igfxpm32.exe igfxpm32.exe PID 1516 wrote to memory of 1704 1516 igfxpm32.exe igfxpm32.exe PID 1516 wrote to memory of 1704 1516 igfxpm32.exe igfxpm32.exe PID 1516 wrote to memory of 1704 1516 igfxpm32.exe igfxpm32.exe PID 1704 wrote to memory of 2064 1704 igfxpm32.exe igfxpm32.exe PID 1704 wrote to memory of 2064 1704 igfxpm32.exe igfxpm32.exe PID 1704 wrote to memory of 2064 1704 igfxpm32.exe igfxpm32.exe PID 1704 wrote to memory of 2064 1704 igfxpm32.exe igfxpm32.exe PID 1704 wrote to memory of 2064 1704 igfxpm32.exe igfxpm32.exe PID 1704 wrote to memory of 2064 1704 igfxpm32.exe igfxpm32.exe PID 1704 wrote to memory of 2064 1704 igfxpm32.exe igfxpm32.exe PID 2064 wrote to memory of 2364 2064 igfxpm32.exe igfxpm32.exe PID 2064 wrote to memory of 2364 2064 igfxpm32.exe igfxpm32.exe PID 2064 wrote to memory of 2364 2064 igfxpm32.exe igfxpm32.exe PID 2364 wrote to memory of 3648 2364 igfxpm32.exe igfxpm32.exe PID 2364 wrote to memory of 3648 2364 igfxpm32.exe igfxpm32.exe PID 2364 wrote to memory of 3648 2364 igfxpm32.exe igfxpm32.exe PID 2364 wrote to memory of 3648 2364 igfxpm32.exe igfxpm32.exe PID 2364 wrote to memory of 3648 2364 igfxpm32.exe igfxpm32.exe PID 2364 wrote to memory of 3648 2364 igfxpm32.exe igfxpm32.exe PID 2364 wrote to memory of 3648 2364 igfxpm32.exe igfxpm32.exe PID 3648 wrote to memory of 4156 3648 igfxpm32.exe igfxpm32.exe PID 3648 wrote to memory of 4156 3648 igfxpm32.exe igfxpm32.exe PID 3648 wrote to memory of 4156 3648 igfxpm32.exe igfxpm32.exe PID 4156 wrote to memory of 4524 4156 igfxpm32.exe igfxpm32.exe PID 4156 wrote to memory of 4524 4156 igfxpm32.exe igfxpm32.exe PID 4156 wrote to memory of 4524 4156 igfxpm32.exe igfxpm32.exe PID 4156 wrote to memory of 4524 4156 igfxpm32.exe igfxpm32.exe PID 4156 wrote to memory of 4524 4156 igfxpm32.exe igfxpm32.exe PID 4156 wrote to memory of 4524 4156 igfxpm32.exe igfxpm32.exe PID 4156 wrote to memory of 4524 4156 igfxpm32.exe igfxpm32.exe PID 4524 wrote to memory of 2876 4524 igfxpm32.exe igfxpm32.exe PID 4524 wrote to memory of 2876 4524 igfxpm32.exe igfxpm32.exe PID 4524 wrote to memory of 2876 4524 igfxpm32.exe igfxpm32.exe PID 2876 wrote to memory of 4148 2876 igfxpm32.exe igfxpm32.exe PID 2876 wrote to memory of 4148 2876 igfxpm32.exe igfxpm32.exe PID 2876 wrote to memory of 4148 2876 igfxpm32.exe igfxpm32.exe PID 2876 wrote to memory of 4148 2876 igfxpm32.exe igfxpm32.exe PID 2876 wrote to memory of 4148 2876 igfxpm32.exe igfxpm32.exe PID 2876 wrote to memory of 4148 2876 igfxpm32.exe igfxpm32.exe PID 2876 wrote to memory of 4148 2876 igfxpm32.exe igfxpm32.exe PID 4148 wrote to memory of 4268 4148 igfxpm32.exe igfxpm32.exe PID 4148 wrote to memory of 4268 4148 igfxpm32.exe igfxpm32.exe PID 4148 wrote to memory of 4268 4148 igfxpm32.exe igfxpm32.exe PID 4268 wrote to memory of 4808 4268 igfxpm32.exe igfxpm32.exe PID 4268 wrote to memory of 4808 4268 igfxpm32.exe igfxpm32.exe PID 4268 wrote to memory of 4808 4268 igfxpm32.exe igfxpm32.exe PID 4268 wrote to memory of 4808 4268 igfxpm32.exe igfxpm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04de69c39e4ab507cdb6640e482e8442_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Users\Admin\AppData\Local\Temp\04DE69~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Users\Admin\AppData\Local\Temp\04DE69~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4808 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2592 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3128 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1984 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2484 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1576 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2060 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4460 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4448 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1616 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4092 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4388 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2404 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1308 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3176 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3548 -
C:\Windows\SysWOW64\igfxpm32.exe"C:\Windows\system32\igfxpm32.exe" C:\Windows\SysWOW64\igfxpm32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD504de69c39e4ab507cdb6640e482e8442
SHA10399275a2bf1ff96545355f9698e3959f69443a5
SHA25655285cb81e0cc074503ad5d8c0ad64646d383c9516122d1713df65a9abb7cd45
SHA51251b267a491cafd99c015a059f5a61d9cc6f2b4669d081f9d9214e3f56f5afba665cbb9cc8f45c6215f96ca6b29ef2c081cba7e7ac127f939c0d149e6e8be18d8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e