Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 16:27
Behavioral task
behavioral1
Sample
0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe
-
Size
50KB
-
MD5
0ebfd28036cd25aad0d6f55fa8434db2
-
SHA1
abc74b95f9e9f2743f7d8358928e00ca635dead5
-
SHA256
e6c665812df0c147fb61eef59cccf0b04f9ccb590f2f13cedb59e8d1c6b3e490
-
SHA512
732c5cdf44995db257e85eed656c3a93e6e9fb919d765a11bbab518879645487b7f03309dea98c8c8c13d7f73eb8df8b0511022068d4fca347d08f1153bc4267
-
SSDEEP
1536:VmIMHYK1ynxq30+0PUJVjKd4ajRR/19xV8:Vl83N0PU3j94/1u
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 14300 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2984 icf.exe 2600 icf.exe 2700 icf.exe 2724 icf.exe 2596 icf.exe 2740 icf.exe 3064 icf.exe 304 icf.exe 2512 icf.exe 2604 icf.exe 2664 icf.exe 2504 icf.exe 2564 icf.exe 2956 icf.exe 2548 icf.exe 2972 icf.exe 624 icf.exe 2552 icf.exe 2772 icf.exe 2804 icf.exe 2832 icf.exe 1928 icf.exe 1912 icf.exe 1244 icf.exe 1272 icf.exe 1804 icf.exe 1148 icf.exe 2844 icf.exe 1824 icf.exe 1208 icf.exe 2024 icf.exe 2980 icf.exe 2168 icf.exe 2948 icf.exe 1808 icf.exe 1796 icf.exe 1232 icf.exe 2188 icf.exe 2588 icf.exe 1548 icf.exe 2344 icf.exe 2528 icf.exe 2976 icf.exe 2228 icf.exe 292 icf.exe 2244 icf.exe 2904 icf.exe 2776 icf.exe 2836 icf.exe 1460 icf.exe 1776 icf.exe 1628 icf.exe 388 icf.exe 484 icf.exe 780 icf.exe 1072 icf.exe 1416 icf.exe 1572 icf.exe 1400 icf.exe 2852 icf.exe 1952 icf.exe 984 icf.exe 1728 icf.exe 2372 icf.exe -
Loads dropped DLL 64 IoCs
pid Process 1648 0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe 1648 0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe 2984 icf.exe 2984 icf.exe 2600 icf.exe 2600 icf.exe 2700 icf.exe 2700 icf.exe 2724 icf.exe 2724 icf.exe 2596 icf.exe 2596 icf.exe 2740 icf.exe 2740 icf.exe 3064 icf.exe 3064 icf.exe 304 icf.exe 304 icf.exe 2512 icf.exe 2512 icf.exe 2604 icf.exe 2604 icf.exe 2664 icf.exe 2664 icf.exe 2504 icf.exe 2504 icf.exe 2564 icf.exe 2564 icf.exe 2956 icf.exe 2956 icf.exe 2548 icf.exe 2548 icf.exe 2972 icf.exe 2972 icf.exe 624 icf.exe 624 icf.exe 2552 icf.exe 2552 icf.exe 2772 icf.exe 2772 icf.exe 2804 icf.exe 2804 icf.exe 2832 icf.exe 2832 icf.exe 1928 icf.exe 1928 icf.exe 1912 icf.exe 1912 icf.exe 1244 icf.exe 1244 icf.exe 1272 icf.exe 1272 icf.exe 1804 icf.exe 1804 icf.exe 1148 icf.exe 1148 icf.exe 2844 icf.exe 2844 icf.exe 1824 icf.exe 1824 icf.exe 1208 icf.exe 1208 icf.exe 2024 icf.exe 2024 icf.exe -
resource yara_rule behavioral1/memory/1648-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/files/0x000b0000000122ee-2.dat upx behavioral1/memory/2984-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2552-73-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1272-90-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-98-0x00000000003D0000-0x00000000003F1000-memory.dmp upx behavioral1/memory/292-102-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1800-143-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2712-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2584-136-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3020-130-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2436-127-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/612-123-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/804-118-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2976-105-0x00000000002F0000-0x0000000000311000-memory.dmp upx behavioral1/memory/2168-96-0x00000000002F0000-0x0000000000311000-memory.dmp upx behavioral1/memory/2980-95-0x00000000001E0000-0x0000000000201000-memory.dmp upx behavioral1/memory/2024-93-0x00000000003D0000-0x00000000003F1000-memory.dmp upx behavioral1/memory/1804-91-0x00000000002D0000-0x00000000002F1000-memory.dmp upx behavioral1/memory/2832-88-0x00000000005C0000-0x00000000005E1000-memory.dmp upx behavioral1/memory/2504-52-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2512-42-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/304-37-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1648-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2724-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2984-243-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" icf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icf = "c:\\windows\\system32\\icf.exe" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\2359299.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\3866627.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2555907.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2359299.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2359299.bat Process not Found File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\1835011.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2883587.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\1835011.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\2818051.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\3866627.bat icf.exe File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File opened for modification \??\c:\windows\SysWOW64\2818051.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe Process not Found File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File opened for modification \??\c:\windows\SysWOW64\2293763.bat icf.exe File created \??\c:\windows\SysWOW64\2293763.bat Process not Found File created \??\c:\windows\SysWOW64\icf.exe icf.exe File created \??\c:\windows\SysWOW64\icf.exe icf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2984 1648 0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe 28 PID 1648 wrote to memory of 2984 1648 0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe 28 PID 1648 wrote to memory of 2984 1648 0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe 28 PID 1648 wrote to memory of 2984 1648 0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe 28 PID 2984 wrote to memory of 2600 2984 icf.exe 29 PID 2984 wrote to memory of 2600 2984 icf.exe 29 PID 2984 wrote to memory of 2600 2984 icf.exe 29 PID 2984 wrote to memory of 2600 2984 icf.exe 29 PID 2600 wrote to memory of 2700 2600 icf.exe 30 PID 2600 wrote to memory of 2700 2600 icf.exe 30 PID 2600 wrote to memory of 2700 2600 icf.exe 30 PID 2600 wrote to memory of 2700 2600 icf.exe 30 PID 2700 wrote to memory of 2724 2700 icf.exe 31 PID 2700 wrote to memory of 2724 2700 icf.exe 31 PID 2700 wrote to memory of 2724 2700 icf.exe 31 PID 2700 wrote to memory of 2724 2700 icf.exe 31 PID 2724 wrote to memory of 2596 2724 icf.exe 32 PID 2724 wrote to memory of 2596 2724 icf.exe 32 PID 2724 wrote to memory of 2596 2724 icf.exe 32 PID 2724 wrote to memory of 2596 2724 icf.exe 32 PID 2596 wrote to memory of 2740 2596 icf.exe 33 PID 2596 wrote to memory of 2740 2596 icf.exe 33 PID 2596 wrote to memory of 2740 2596 icf.exe 33 PID 2596 wrote to memory of 2740 2596 icf.exe 33 PID 2740 wrote to memory of 3064 2740 icf.exe 34 PID 2740 wrote to memory of 3064 2740 icf.exe 34 PID 2740 wrote to memory of 3064 2740 icf.exe 34 PID 2740 wrote to memory of 3064 2740 icf.exe 34 PID 3064 wrote to memory of 304 3064 icf.exe 35 PID 3064 wrote to memory of 304 3064 icf.exe 35 PID 3064 wrote to memory of 304 3064 icf.exe 35 PID 3064 wrote to memory of 304 3064 icf.exe 35 PID 304 wrote to memory of 2512 304 icf.exe 36 PID 304 wrote to memory of 2512 304 icf.exe 36 PID 304 wrote to memory of 2512 304 icf.exe 36 PID 304 wrote to memory of 2512 304 icf.exe 36 PID 2512 wrote to memory of 2604 2512 icf.exe 37 PID 2512 wrote to memory of 2604 2512 icf.exe 37 PID 2512 wrote to memory of 2604 2512 icf.exe 37 PID 2512 wrote to memory of 2604 2512 icf.exe 37 PID 2604 wrote to memory of 2664 2604 icf.exe 38 PID 2604 wrote to memory of 2664 2604 icf.exe 38 PID 2604 wrote to memory of 2664 2604 icf.exe 38 PID 2604 wrote to memory of 2664 2604 icf.exe 38 PID 2664 wrote to memory of 2504 2664 icf.exe 39 PID 2664 wrote to memory of 2504 2664 icf.exe 39 PID 2664 wrote to memory of 2504 2664 icf.exe 39 PID 2664 wrote to memory of 2504 2664 icf.exe 39 PID 2504 wrote to memory of 2564 2504 icf.exe 40 PID 2504 wrote to memory of 2564 2504 icf.exe 40 PID 2504 wrote to memory of 2564 2504 icf.exe 40 PID 2504 wrote to memory of 2564 2504 icf.exe 40 PID 2564 wrote to memory of 2956 2564 icf.exe 41 PID 2564 wrote to memory of 2956 2564 icf.exe 41 PID 2564 wrote to memory of 2956 2564 icf.exe 41 PID 2564 wrote to memory of 2956 2564 icf.exe 41 PID 2956 wrote to memory of 2548 2956 icf.exe 42 PID 2956 wrote to memory of 2548 2956 icf.exe 42 PID 2956 wrote to memory of 2548 2956 icf.exe 42 PID 2956 wrote to memory of 2548 2956 icf.exe 42 PID 2548 wrote to memory of 2972 2548 icf.exe 43 PID 2548 wrote to memory of 2972 2548 icf.exe 43 PID 2548 wrote to memory of 2972 2548 icf.exe 43 PID 2548 wrote to memory of 2972 2548 icf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0ebfd28036cd25aad0d6f55fa8434db2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1272 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1208 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe33⤵
- Executes dropped EXE
PID:2980 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe34⤵
- Executes dropped EXE
PID:2168 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe35⤵
- Executes dropped EXE
PID:2948 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe36⤵
- Executes dropped EXE
PID:1808 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe37⤵
- Executes dropped EXE
PID:1796 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe38⤵
- Executes dropped EXE
PID:1232 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe39⤵
- Executes dropped EXE
PID:2188 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe40⤵
- Executes dropped EXE
PID:2588 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe41⤵
- Executes dropped EXE
PID:1548 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe42⤵
- Executes dropped EXE
PID:2344 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe43⤵
- Executes dropped EXE
PID:2528 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe44⤵
- Executes dropped EXE
PID:2976 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe45⤵
- Executes dropped EXE
PID:2228 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe46⤵
- Executes dropped EXE
PID:292 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe47⤵
- Executes dropped EXE
PID:2244 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe48⤵
- Executes dropped EXE
PID:2904 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe49⤵
- Executes dropped EXE
PID:2776 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe50⤵
- Executes dropped EXE
PID:2836 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe51⤵
- Executes dropped EXE
PID:1460 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe52⤵
- Executes dropped EXE
PID:1776 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe53⤵
- Executes dropped EXE
PID:1628 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe54⤵
- Executes dropped EXE
PID:388 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe55⤵
- Executes dropped EXE
PID:484 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe56⤵
- Executes dropped EXE
PID:780 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe57⤵
- Executes dropped EXE
PID:1072 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe58⤵
- Executes dropped EXE
PID:1416 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe59⤵
- Executes dropped EXE
PID:1572 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe60⤵
- Executes dropped EXE
PID:1400 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe61⤵
- Executes dropped EXE
PID:2852 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe62⤵
- Executes dropped EXE
PID:1952 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe63⤵
- Executes dropped EXE
PID:984 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe64⤵
- Executes dropped EXE
PID:1728 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe65⤵
- Executes dropped EXE
PID:2372 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe66⤵PID:2464
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe67⤵
- Adds Run key to start application
PID:1908 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe68⤵PID:804
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe69⤵PID:3060
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe70⤵PID:3052
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe71⤵PID:692
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe72⤵PID:824
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe73⤵PID:2416
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe74⤵PID:1180
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe75⤵PID:1220
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe76⤵PID:612
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe77⤵PID:1956
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe78⤵PID:1212
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe79⤵PID:1436
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe80⤵PID:1704
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe81⤵PID:1480
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe82⤵PID:1700
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe83⤵PID:272
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe84⤵PID:2020
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe85⤵PID:1292
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe86⤵PID:344
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe87⤵PID:2072
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe88⤵PID:2436
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe89⤵PID:1560
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe90⤵PID:1964
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe91⤵PID:1576
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe92⤵PID:752
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe93⤵
- Drops file in System32 directory
PID:2232 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe94⤵
- Adds Run key to start application
PID:2200 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe95⤵PID:2248
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe96⤵
- Drops file in System32 directory
PID:3020 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe97⤵PID:2404
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe98⤵PID:2996
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe99⤵PID:1668
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe100⤵PID:2140
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe101⤵PID:2076
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe102⤵PID:1500
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe103⤵
- Adds Run key to start application
PID:2432 -
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe104⤵PID:2932
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe105⤵PID:876
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe106⤵PID:1112
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe107⤵PID:1720
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe108⤵PID:988
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe109⤵PID:2392
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe110⤵PID:2868
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe111⤵PID:316
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe112⤵PID:1432
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe113⤵PID:884
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe114⤵PID:2920
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe115⤵PID:1616
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe116⤵PID:1708
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe117⤵PID:2216
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe118⤵PID:1556
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe119⤵PID:2172
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe120⤵PID:1536
-
\??\c:\windows\SysWOW64\icf.exec:\windows\system32\icf.exe121⤵PID:2284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-