Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 11:07
Behavioral task
behavioral1
Sample
2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe
-
Size
196KB
-
MD5
2854e9e5e2a0f5b574342369a3bfe379
-
SHA1
e777573f51078e708926dcc0ee5da31ffa0b55bf
-
SHA256
2a3bf4305468e320cc62fcefc23fb056237c8739f31838e27114eca9c912e396
-
SHA512
a5ea8ef669627dddfcf91d4745bfaadc379a10b9f20d32ac955bf5978ad67a72bbcf33697a02b17638c25f98168d018e86f23e51e423692aac8ae70724c44a17
-
SSDEEP
6144:jUnzFF2S9eRo5mIlZMATk72l9xfgb33egP1L:jEFoS8WmIQAA7C9RO1L
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2388 igfxman86.exe -
Executes dropped EXE 47 IoCs
pid Process 2388 igfxman86.exe 2692 igfxman86.exe 2180 igfxman86.exe 2980 igfxman86.exe 2560 igfxman86.exe 2944 igfxman86.exe 372 igfxman86.exe 1700 igfxman86.exe 1420 igfxman86.exe 1288 igfxman86.exe 2068 igfxman86.exe 1804 igfxman86.exe 1472 igfxman86.exe 1128 igfxman86.exe 1316 igfxman86.exe 1080 igfxman86.exe 284 igfxman86.exe 884 igfxman86.exe 1936 igfxman86.exe 2152 igfxman86.exe 1996 igfxman86.exe 2616 igfxman86.exe 2528 igfxman86.exe 2692 igfxman86.exe 2568 igfxman86.exe 1704 igfxman86.exe 2580 igfxman86.exe 2224 igfxman86.exe 2952 igfxman86.exe 1036 igfxman86.exe 1520 igfxman86.exe 828 igfxman86.exe 2588 igfxman86.exe 2816 igfxman86.exe 2012 igfxman86.exe 2672 igfxman86.exe 1748 igfxman86.exe 1548 igfxman86.exe 2208 igfxman86.exe 2424 igfxman86.exe 3064 igfxman86.exe 2392 igfxman86.exe 1792 igfxman86.exe 2164 igfxman86.exe 2740 igfxman86.exe 2596 igfxman86.exe 1500 igfxman86.exe -
Loads dropped DLL 64 IoCs
pid Process 1984 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe 1984 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe 2388 igfxman86.exe 2388 igfxman86.exe 2692 igfxman86.exe 2692 igfxman86.exe 2180 igfxman86.exe 2180 igfxman86.exe 2980 igfxman86.exe 2980 igfxman86.exe 2560 igfxman86.exe 2560 igfxman86.exe 2944 igfxman86.exe 2944 igfxman86.exe 372 igfxman86.exe 372 igfxman86.exe 1700 igfxman86.exe 1700 igfxman86.exe 1420 igfxman86.exe 1420 igfxman86.exe 1288 igfxman86.exe 1288 igfxman86.exe 2068 igfxman86.exe 2068 igfxman86.exe 1804 igfxman86.exe 1804 igfxman86.exe 1472 igfxman86.exe 1472 igfxman86.exe 1128 igfxman86.exe 1128 igfxman86.exe 1316 igfxman86.exe 1316 igfxman86.exe 1080 igfxman86.exe 1080 igfxman86.exe 284 igfxman86.exe 284 igfxman86.exe 884 igfxman86.exe 884 igfxman86.exe 1936 igfxman86.exe 1936 igfxman86.exe 2152 igfxman86.exe 2152 igfxman86.exe 1996 igfxman86.exe 1996 igfxman86.exe 2616 igfxman86.exe 2616 igfxman86.exe 2528 igfxman86.exe 2528 igfxman86.exe 2692 igfxman86.exe 2692 igfxman86.exe 2568 igfxman86.exe 2568 igfxman86.exe 1704 igfxman86.exe 1704 igfxman86.exe 2580 igfxman86.exe 2580 igfxman86.exe 2224 igfxman86.exe 2224 igfxman86.exe 2952 igfxman86.exe 2952 igfxman86.exe 1036 igfxman86.exe 1036 igfxman86.exe 1520 igfxman86.exe 1520 igfxman86.exe -
resource yara_rule behavioral1/memory/1984-0-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/files/0x000a000000012286-6.dat upx behavioral1/memory/2388-15-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/2388-22-0x0000000003410000-0x000000000348F000-memory.dmp upx behavioral1/memory/2692-26-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/2560-46-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1128-101-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1936-130-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/2152-133-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1996-136-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/2616-139-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/2692-145-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1036-161-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/828-167-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/2012-175-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/3064-189-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1792-196-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxman86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxman86.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\ 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File created C:\Windows\SysWOW64\igfxman86.exe igfxman86.exe File opened for modification C:\Windows\SysWOW64\ igfxman86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1984 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe 1984 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe 2388 igfxman86.exe 2388 igfxman86.exe 2692 igfxman86.exe 2692 igfxman86.exe 2180 igfxman86.exe 2180 igfxman86.exe 2980 igfxman86.exe 2980 igfxman86.exe 2560 igfxman86.exe 2560 igfxman86.exe 2944 igfxman86.exe 2944 igfxman86.exe 372 igfxman86.exe 372 igfxman86.exe 1700 igfxman86.exe 1700 igfxman86.exe 1420 igfxman86.exe 1420 igfxman86.exe 1288 igfxman86.exe 1288 igfxman86.exe 2068 igfxman86.exe 2068 igfxman86.exe 1804 igfxman86.exe 1804 igfxman86.exe 1472 igfxman86.exe 1472 igfxman86.exe 1128 igfxman86.exe 1128 igfxman86.exe 1316 igfxman86.exe 1316 igfxman86.exe 1080 igfxman86.exe 1080 igfxman86.exe 284 igfxman86.exe 284 igfxman86.exe 884 igfxman86.exe 884 igfxman86.exe 1936 igfxman86.exe 1936 igfxman86.exe 2152 igfxman86.exe 2152 igfxman86.exe 1996 igfxman86.exe 1996 igfxman86.exe 2616 igfxman86.exe 2616 igfxman86.exe 2528 igfxman86.exe 2528 igfxman86.exe 2692 igfxman86.exe 2692 igfxman86.exe 2568 igfxman86.exe 2568 igfxman86.exe 1704 igfxman86.exe 1704 igfxman86.exe 2580 igfxman86.exe 2580 igfxman86.exe 2224 igfxman86.exe 2224 igfxman86.exe 2952 igfxman86.exe 2952 igfxman86.exe 1036 igfxman86.exe 1036 igfxman86.exe 1520 igfxman86.exe 1520 igfxman86.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2388 1984 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2388 1984 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2388 1984 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2388 1984 2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe 28 PID 2388 wrote to memory of 2692 2388 igfxman86.exe 29 PID 2388 wrote to memory of 2692 2388 igfxman86.exe 29 PID 2388 wrote to memory of 2692 2388 igfxman86.exe 29 PID 2388 wrote to memory of 2692 2388 igfxman86.exe 29 PID 2692 wrote to memory of 2180 2692 igfxman86.exe 30 PID 2692 wrote to memory of 2180 2692 igfxman86.exe 30 PID 2692 wrote to memory of 2180 2692 igfxman86.exe 30 PID 2692 wrote to memory of 2180 2692 igfxman86.exe 30 PID 2180 wrote to memory of 2980 2180 igfxman86.exe 31 PID 2180 wrote to memory of 2980 2180 igfxman86.exe 31 PID 2180 wrote to memory of 2980 2180 igfxman86.exe 31 PID 2180 wrote to memory of 2980 2180 igfxman86.exe 31 PID 2980 wrote to memory of 2560 2980 igfxman86.exe 32 PID 2980 wrote to memory of 2560 2980 igfxman86.exe 32 PID 2980 wrote to memory of 2560 2980 igfxman86.exe 32 PID 2980 wrote to memory of 2560 2980 igfxman86.exe 32 PID 2560 wrote to memory of 2944 2560 igfxman86.exe 33 PID 2560 wrote to memory of 2944 2560 igfxman86.exe 33 PID 2560 wrote to memory of 2944 2560 igfxman86.exe 33 PID 2560 wrote to memory of 2944 2560 igfxman86.exe 33 PID 2944 wrote to memory of 372 2944 igfxman86.exe 34 PID 2944 wrote to memory of 372 2944 igfxman86.exe 34 PID 2944 wrote to memory of 372 2944 igfxman86.exe 34 PID 2944 wrote to memory of 372 2944 igfxman86.exe 34 PID 372 wrote to memory of 1700 372 igfxman86.exe 35 PID 372 wrote to memory of 1700 372 igfxman86.exe 35 PID 372 wrote to memory of 1700 372 igfxman86.exe 35 PID 372 wrote to memory of 1700 372 igfxman86.exe 35 PID 1700 wrote to memory of 1420 1700 igfxman86.exe 36 PID 1700 wrote to memory of 1420 1700 igfxman86.exe 36 PID 1700 wrote to memory of 1420 1700 igfxman86.exe 36 PID 1700 wrote to memory of 1420 1700 igfxman86.exe 36 PID 1420 wrote to memory of 1288 1420 igfxman86.exe 37 PID 1420 wrote to memory of 1288 1420 igfxman86.exe 37 PID 1420 wrote to memory of 1288 1420 igfxman86.exe 37 PID 1420 wrote to memory of 1288 1420 igfxman86.exe 37 PID 1288 wrote to memory of 2068 1288 igfxman86.exe 38 PID 1288 wrote to memory of 2068 1288 igfxman86.exe 38 PID 1288 wrote to memory of 2068 1288 igfxman86.exe 38 PID 1288 wrote to memory of 2068 1288 igfxman86.exe 38 PID 2068 wrote to memory of 1804 2068 igfxman86.exe 39 PID 2068 wrote to memory of 1804 2068 igfxman86.exe 39 PID 2068 wrote to memory of 1804 2068 igfxman86.exe 39 PID 2068 wrote to memory of 1804 2068 igfxman86.exe 39 PID 1804 wrote to memory of 1472 1804 igfxman86.exe 40 PID 1804 wrote to memory of 1472 1804 igfxman86.exe 40 PID 1804 wrote to memory of 1472 1804 igfxman86.exe 40 PID 1804 wrote to memory of 1472 1804 igfxman86.exe 40 PID 1472 wrote to memory of 1128 1472 igfxman86.exe 41 PID 1472 wrote to memory of 1128 1472 igfxman86.exe 41 PID 1472 wrote to memory of 1128 1472 igfxman86.exe 41 PID 1472 wrote to memory of 1128 1472 igfxman86.exe 41 PID 1128 wrote to memory of 1316 1128 igfxman86.exe 44 PID 1128 wrote to memory of 1316 1128 igfxman86.exe 44 PID 1128 wrote to memory of 1316 1128 igfxman86.exe 44 PID 1128 wrote to memory of 1316 1128 igfxman86.exe 44 PID 1316 wrote to memory of 1080 1316 igfxman86.exe 45 PID 1316 wrote to memory of 1080 1316 igfxman86.exe 45 PID 1316 wrote to memory of 1080 1316 igfxman86.exe 45 PID 1316 wrote to memory of 1080 1316 igfxman86.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2854e9e5e2a0f5b574342369a3bfe379_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Users\Admin\AppData\Local\Temp\2854E9~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1080 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:284 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:884 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1936 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2152 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2616 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2528 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2692 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2568 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2580 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE29⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2952 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE31⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1036 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1520 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE33⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE35⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE37⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE39⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE40⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:2208 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE41⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE43⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE44⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:1792 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE45⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE46⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE47⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:2596 -
C:\Windows\SysWOW64\igfxman86.exe"C:\Windows\system32\igfxman86.exe" C:\Windows\SysWOW64\IGFXMA~1.EXE48⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:1500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD52854e9e5e2a0f5b574342369a3bfe379
SHA1e777573f51078e708926dcc0ee5da31ffa0b55bf
SHA2562a3bf4305468e320cc62fcefc23fb056237c8739f31838e27114eca9c912e396
SHA512a5ea8ef669627dddfcf91d4745bfaadc379a10b9f20d32ac955bf5978ad67a72bbcf33697a02b17638c25f98168d018e86f23e51e423692aac8ae70724c44a17