Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
14-07-2024 05:10
General
-
Target
447018747bb1d4d1428075608440ad52_JaffaCakes118.exe
-
Size
202KB
-
MD5
447018747bb1d4d1428075608440ad52
-
SHA1
73fc3ed65261e5f8455d03ff63b12d0e72833d0c
-
SHA256
8328c10e0d2bffa1fd91956b47549f89b27ee560ceaa622b3ff4a205b31b4f33
-
SHA512
02cb15d85a939c521e8de4ef6989f4704c421f2351cbc20d48f81f4b432d673e7ee2bead3e56d59448c203f7292e14e0cf1a27100aa46169600a4b4df4188605
-
SSDEEP
6144:/S+Fau0KN3GvqCkwNj0iIinvXhNNlTxTcIOK:/FUkNTCHjhIWNNTca
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 41 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 41 IoCs
-
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 42 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\447018747bb1d4d1428075608440ad52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\447018747bb1d4d1428075608440ad52_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Users\Admin\AppData\Local\Temp\447018~1.EXE2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxdr32.exe"C:\Windows\system32\igfxdr32.exe" C:\Windows\SysWOW64\igfxdr32.exe42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5447018747bb1d4d1428075608440ad52
SHA173fc3ed65261e5f8455d03ff63b12d0e72833d0c
SHA2568328c10e0d2bffa1fd91956b47549f89b27ee560ceaa622b3ff4a205b31b4f33
SHA51202cb15d85a939c521e8de4ef6989f4704c421f2351cbc20d48f81f4b432d673e7ee2bead3e56d59448c203f7292e14e0cf1a27100aa46169600a4b4df4188605
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
72KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB