Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 10:02
Behavioral task
behavioral1
Sample
282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe
-
Size
213KB
-
MD5
282610597acea461a3ac75a2e99f88d4
-
SHA1
373e8458415451c96d9d2f0cbe50efac3e9503da
-
SHA256
93c0e607db680fbb839ee4d2c727f171e7432e6bfa8751a3f81c35674acb48d2
-
SHA512
e4de1d98d42ec8cad4862d13ee38134dccb44b727d14d7896d2d1ef4dead0a8e6d26930ecb5f23f54d46e5134201a579fee279a1164bf98ee14f549c56791d7f
-
SSDEEP
6144:BDyhxg7VpHptITtjtjyL2/2Y1XsgS/4FZq:Bew2Ttjtj6nY18geuZq
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2524 igfxdm32.exe -
Executes dropped EXE 47 IoCs
pid Process 2524 igfxdm32.exe 2700 igfxdm32.exe 2428 igfxdm32.exe 2932 igfxdm32.exe 1556 igfxdm32.exe 2520 igfxdm32.exe 1888 igfxdm32.exe 1716 igfxdm32.exe 480 igfxdm32.exe 1256 igfxdm32.exe 2468 igfxdm32.exe 2232 igfxdm32.exe 1384 igfxdm32.exe 2332 igfxdm32.exe 1576 igfxdm32.exe 888 igfxdm32.exe 2864 igfxdm32.exe 980 igfxdm32.exe 2032 igfxdm32.exe 1720 igfxdm32.exe 2560 igfxdm32.exe 1944 igfxdm32.exe 2960 igfxdm32.exe 2484 igfxdm32.exe 2968 igfxdm32.exe 2504 igfxdm32.exe 348 igfxdm32.exe 2696 igfxdm32.exe 1504 igfxdm32.exe 340 igfxdm32.exe 1908 igfxdm32.exe 1716 igfxdm32.exe 620 igfxdm32.exe 1256 igfxdm32.exe 2208 igfxdm32.exe 2264 igfxdm32.exe 1792 igfxdm32.exe 1676 igfxdm32.exe 1008 igfxdm32.exe 2336 igfxdm32.exe 1948 igfxdm32.exe 2024 igfxdm32.exe 1416 igfxdm32.exe 2512 igfxdm32.exe 2032 igfxdm32.exe 2060 igfxdm32.exe 2400 igfxdm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe 2400 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe 2524 igfxdm32.exe 2524 igfxdm32.exe 2700 igfxdm32.exe 2700 igfxdm32.exe 2428 igfxdm32.exe 2428 igfxdm32.exe 2932 igfxdm32.exe 2932 igfxdm32.exe 1556 igfxdm32.exe 1556 igfxdm32.exe 2520 igfxdm32.exe 2520 igfxdm32.exe 1888 igfxdm32.exe 1888 igfxdm32.exe 1716 igfxdm32.exe 1716 igfxdm32.exe 480 igfxdm32.exe 480 igfxdm32.exe 1256 igfxdm32.exe 1256 igfxdm32.exe 2468 igfxdm32.exe 2468 igfxdm32.exe 2232 igfxdm32.exe 2232 igfxdm32.exe 1384 igfxdm32.exe 1384 igfxdm32.exe 2332 igfxdm32.exe 2332 igfxdm32.exe 1576 igfxdm32.exe 1576 igfxdm32.exe 888 igfxdm32.exe 888 igfxdm32.exe 2864 igfxdm32.exe 2864 igfxdm32.exe 980 igfxdm32.exe 980 igfxdm32.exe 2032 igfxdm32.exe 2032 igfxdm32.exe 1720 igfxdm32.exe 1720 igfxdm32.exe 2560 igfxdm32.exe 2560 igfxdm32.exe 1944 igfxdm32.exe 1944 igfxdm32.exe 2960 igfxdm32.exe 2960 igfxdm32.exe 2484 igfxdm32.exe 2484 igfxdm32.exe 2968 igfxdm32.exe 2968 igfxdm32.exe 2504 igfxdm32.exe 2504 igfxdm32.exe 348 igfxdm32.exe 348 igfxdm32.exe 2696 igfxdm32.exe 2696 igfxdm32.exe 1504 igfxdm32.exe 1504 igfxdm32.exe 340 igfxdm32.exe 340 igfxdm32.exe 1908 igfxdm32.exe 1908 igfxdm32.exe -
resource yara_rule behavioral1/files/0x000a000000012280-6.dat upx behavioral1/memory/2524-17-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/2524-18-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/2524-22-0x0000000003300000-0x0000000003362000-memory.dmp upx behavioral1/memory/2428-33-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/2864-115-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/2960-134-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/1504-151-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/340-154-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/1908-157-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/1676-178-0x0000000013110000-0x0000000013172000-memory.dmp upx behavioral1/memory/2060-197-0x0000000013110000-0x0000000013172000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File created C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\igfxdm32.exe igfxdm32.exe File opened for modification C:\Windows\SysWOW64\ igfxdm32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2400 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe 2400 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe 2524 igfxdm32.exe 2524 igfxdm32.exe 2700 igfxdm32.exe 2700 igfxdm32.exe 2428 igfxdm32.exe 2428 igfxdm32.exe 2932 igfxdm32.exe 2932 igfxdm32.exe 1556 igfxdm32.exe 1556 igfxdm32.exe 2520 igfxdm32.exe 2520 igfxdm32.exe 1888 igfxdm32.exe 1888 igfxdm32.exe 1716 igfxdm32.exe 1716 igfxdm32.exe 480 igfxdm32.exe 480 igfxdm32.exe 1256 igfxdm32.exe 1256 igfxdm32.exe 2468 igfxdm32.exe 2468 igfxdm32.exe 2232 igfxdm32.exe 2232 igfxdm32.exe 1384 igfxdm32.exe 1384 igfxdm32.exe 2332 igfxdm32.exe 2332 igfxdm32.exe 1576 igfxdm32.exe 1576 igfxdm32.exe 888 igfxdm32.exe 888 igfxdm32.exe 2864 igfxdm32.exe 2864 igfxdm32.exe 980 igfxdm32.exe 980 igfxdm32.exe 2032 igfxdm32.exe 2032 igfxdm32.exe 1720 igfxdm32.exe 1720 igfxdm32.exe 2560 igfxdm32.exe 2560 igfxdm32.exe 1944 igfxdm32.exe 1944 igfxdm32.exe 2960 igfxdm32.exe 2960 igfxdm32.exe 2484 igfxdm32.exe 2484 igfxdm32.exe 2968 igfxdm32.exe 2968 igfxdm32.exe 2504 igfxdm32.exe 2504 igfxdm32.exe 348 igfxdm32.exe 348 igfxdm32.exe 2696 igfxdm32.exe 2696 igfxdm32.exe 1504 igfxdm32.exe 1504 igfxdm32.exe 340 igfxdm32.exe 340 igfxdm32.exe 1908 igfxdm32.exe 1908 igfxdm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2524 2400 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2524 2400 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2524 2400 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2524 2400 282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe 28 PID 2524 wrote to memory of 2700 2524 igfxdm32.exe 29 PID 2524 wrote to memory of 2700 2524 igfxdm32.exe 29 PID 2524 wrote to memory of 2700 2524 igfxdm32.exe 29 PID 2524 wrote to memory of 2700 2524 igfxdm32.exe 29 PID 2700 wrote to memory of 2428 2700 igfxdm32.exe 30 PID 2700 wrote to memory of 2428 2700 igfxdm32.exe 30 PID 2700 wrote to memory of 2428 2700 igfxdm32.exe 30 PID 2700 wrote to memory of 2428 2700 igfxdm32.exe 30 PID 2428 wrote to memory of 2932 2428 igfxdm32.exe 31 PID 2428 wrote to memory of 2932 2428 igfxdm32.exe 31 PID 2428 wrote to memory of 2932 2428 igfxdm32.exe 31 PID 2428 wrote to memory of 2932 2428 igfxdm32.exe 31 PID 2932 wrote to memory of 1556 2932 igfxdm32.exe 32 PID 2932 wrote to memory of 1556 2932 igfxdm32.exe 32 PID 2932 wrote to memory of 1556 2932 igfxdm32.exe 32 PID 2932 wrote to memory of 1556 2932 igfxdm32.exe 32 PID 1556 wrote to memory of 2520 1556 igfxdm32.exe 33 PID 1556 wrote to memory of 2520 1556 igfxdm32.exe 33 PID 1556 wrote to memory of 2520 1556 igfxdm32.exe 33 PID 1556 wrote to memory of 2520 1556 igfxdm32.exe 33 PID 2520 wrote to memory of 1888 2520 igfxdm32.exe 34 PID 2520 wrote to memory of 1888 2520 igfxdm32.exe 34 PID 2520 wrote to memory of 1888 2520 igfxdm32.exe 34 PID 2520 wrote to memory of 1888 2520 igfxdm32.exe 34 PID 1888 wrote to memory of 1716 1888 igfxdm32.exe 35 PID 1888 wrote to memory of 1716 1888 igfxdm32.exe 35 PID 1888 wrote to memory of 1716 1888 igfxdm32.exe 35 PID 1888 wrote to memory of 1716 1888 igfxdm32.exe 35 PID 1716 wrote to memory of 480 1716 igfxdm32.exe 36 PID 1716 wrote to memory of 480 1716 igfxdm32.exe 36 PID 1716 wrote to memory of 480 1716 igfxdm32.exe 36 PID 1716 wrote to memory of 480 1716 igfxdm32.exe 36 PID 480 wrote to memory of 1256 480 igfxdm32.exe 37 PID 480 wrote to memory of 1256 480 igfxdm32.exe 37 PID 480 wrote to memory of 1256 480 igfxdm32.exe 37 PID 480 wrote to memory of 1256 480 igfxdm32.exe 37 PID 1256 wrote to memory of 2468 1256 igfxdm32.exe 38 PID 1256 wrote to memory of 2468 1256 igfxdm32.exe 38 PID 1256 wrote to memory of 2468 1256 igfxdm32.exe 38 PID 1256 wrote to memory of 2468 1256 igfxdm32.exe 38 PID 2468 wrote to memory of 2232 2468 igfxdm32.exe 39 PID 2468 wrote to memory of 2232 2468 igfxdm32.exe 39 PID 2468 wrote to memory of 2232 2468 igfxdm32.exe 39 PID 2468 wrote to memory of 2232 2468 igfxdm32.exe 39 PID 2232 wrote to memory of 1384 2232 igfxdm32.exe 40 PID 2232 wrote to memory of 1384 2232 igfxdm32.exe 40 PID 2232 wrote to memory of 1384 2232 igfxdm32.exe 40 PID 2232 wrote to memory of 1384 2232 igfxdm32.exe 40 PID 1384 wrote to memory of 2332 1384 igfxdm32.exe 43 PID 1384 wrote to memory of 2332 1384 igfxdm32.exe 43 PID 1384 wrote to memory of 2332 1384 igfxdm32.exe 43 PID 1384 wrote to memory of 2332 1384 igfxdm32.exe 43 PID 2332 wrote to memory of 1576 2332 igfxdm32.exe 44 PID 2332 wrote to memory of 1576 2332 igfxdm32.exe 44 PID 2332 wrote to memory of 1576 2332 igfxdm32.exe 44 PID 2332 wrote to memory of 1576 2332 igfxdm32.exe 44 PID 1576 wrote to memory of 888 1576 igfxdm32.exe 45 PID 1576 wrote to memory of 888 1576 igfxdm32.exe 45 PID 1576 wrote to memory of 888 1576 igfxdm32.exe 45 PID 1576 wrote to memory of 888 1576 igfxdm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\282610597acea461a3ac75a2e99f88d4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Users\Admin\AppData\Local\Temp\282610~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:888 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:980 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2032 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2484 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:348 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1504 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:340 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1908 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe33⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe35⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:1256 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe37⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe39⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe40⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe43⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe44⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe45⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe46⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\igfxdm32.exe"C:\Windows\system32\igfxdm32.exe" C:\Windows\SysWOW64\igfxdm32.exe48⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD5282610597acea461a3ac75a2e99f88d4
SHA1373e8458415451c96d9d2f0cbe50efac3e9503da
SHA25693c0e607db680fbb839ee4d2c727f171e7432e6bfa8751a3f81c35674acb48d2
SHA512e4de1d98d42ec8cad4862d13ee38134dccb44b727d14d7896d2d1ef4dead0a8e6d26930ecb5f23f54d46e5134201a579fee279a1164bf98ee14f549c56791d7f