Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 20:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe
-
Size
170KB
-
MD5
d70bbffde1f96f0d0afc95c46e6847f7
-
SHA1
bdcbdda140a2c5e860d2e49ddd174f34aaa37cef
-
SHA256
4c2b68261c4bbd54a019852de5495f6791afe4a79b8a51f9e41a0515e4be2ad7
-
SHA512
114e7e75c36edf741fc8e624a5649ec4b37610408787608bbcc83a251e494aae081f3e836b8f20908ef6456d86ffa104b561c633e4db8c9066b88513f279d689
-
SSDEEP
3072:P2+45HYgeH+0toWf4V/FqiQPpurbv/5u+8KxpyrW4349pwXIb20GOZ3+28:OYg6f4V/FqiQPpCbvxu+dLr4WpE02lOE
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwl32.exe -
Deletes itself 1 IoCs
pid Process 4812 igfxwl32.exe -
Executes dropped EXE 32 IoCs
pid Process 1848 igfxwl32.exe 4812 igfxwl32.exe 468 igfxwl32.exe 2600 igfxwl32.exe 4512 igfxwl32.exe 3644 igfxwl32.exe 3664 igfxwl32.exe 4616 igfxwl32.exe 3852 igfxwl32.exe 3972 igfxwl32.exe 4796 igfxwl32.exe 4384 igfxwl32.exe 1044 igfxwl32.exe 4080 igfxwl32.exe 4108 igfxwl32.exe 1772 igfxwl32.exe 4116 igfxwl32.exe 2904 igfxwl32.exe 436 igfxwl32.exe 2288 igfxwl32.exe 4364 igfxwl32.exe 1652 igfxwl32.exe 1212 igfxwl32.exe 3320 igfxwl32.exe 1952 igfxwl32.exe 3388 igfxwl32.exe 1544 igfxwl32.exe 3936 igfxwl32.exe 4360 igfxwl32.exe 2800 igfxwl32.exe 208 igfxwl32.exe 4676 igfxwl32.exe -
resource yara_rule behavioral2/memory/904-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/904-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/904-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/904-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/904-40-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4812-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4812-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4812-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4812-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2600-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3644-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4616-70-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3972-77-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4384-84-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4080-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1772-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2904-107-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2288-114-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1652-122-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3320-131-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3388-139-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3936-147-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2800-155-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4676-163-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2328 set thread context of 904 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 87 PID 1848 set thread context of 4812 1848 igfxwl32.exe 96 PID 468 set thread context of 2600 468 igfxwl32.exe 98 PID 4512 set thread context of 3644 4512 igfxwl32.exe 102 PID 3664 set thread context of 4616 3664 igfxwl32.exe 104 PID 3852 set thread context of 3972 3852 igfxwl32.exe 106 PID 4796 set thread context of 4384 4796 igfxwl32.exe 108 PID 1044 set thread context of 4080 1044 igfxwl32.exe 110 PID 4108 set thread context of 1772 4108 igfxwl32.exe 112 PID 4116 set thread context of 2904 4116 igfxwl32.exe 114 PID 436 set thread context of 2288 436 igfxwl32.exe 116 PID 4364 set thread context of 1652 4364 igfxwl32.exe 118 PID 1212 set thread context of 3320 1212 igfxwl32.exe 120 PID 1952 set thread context of 3388 1952 igfxwl32.exe 122 PID 1544 set thread context of 3936 1544 igfxwl32.exe 124 PID 4360 set thread context of 2800 4360 igfxwl32.exe 126 PID 208 set thread context of 4676 208 igfxwl32.exe 128 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 904 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 904 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 904 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 904 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 1848 igfxwl32.exe 1848 igfxwl32.exe 4812 igfxwl32.exe 4812 igfxwl32.exe 4812 igfxwl32.exe 4812 igfxwl32.exe 468 igfxwl32.exe 468 igfxwl32.exe 2600 igfxwl32.exe 2600 igfxwl32.exe 2600 igfxwl32.exe 2600 igfxwl32.exe 4512 igfxwl32.exe 4512 igfxwl32.exe 3644 igfxwl32.exe 3644 igfxwl32.exe 3644 igfxwl32.exe 3644 igfxwl32.exe 3664 igfxwl32.exe 3664 igfxwl32.exe 4616 igfxwl32.exe 4616 igfxwl32.exe 4616 igfxwl32.exe 4616 igfxwl32.exe 3852 igfxwl32.exe 3852 igfxwl32.exe 3972 igfxwl32.exe 3972 igfxwl32.exe 3972 igfxwl32.exe 3972 igfxwl32.exe 4796 igfxwl32.exe 4796 igfxwl32.exe 4384 igfxwl32.exe 4384 igfxwl32.exe 4384 igfxwl32.exe 4384 igfxwl32.exe 1044 igfxwl32.exe 1044 igfxwl32.exe 4080 igfxwl32.exe 4080 igfxwl32.exe 4080 igfxwl32.exe 4080 igfxwl32.exe 4108 igfxwl32.exe 4108 igfxwl32.exe 1772 igfxwl32.exe 1772 igfxwl32.exe 1772 igfxwl32.exe 1772 igfxwl32.exe 4116 igfxwl32.exe 4116 igfxwl32.exe 2904 igfxwl32.exe 2904 igfxwl32.exe 2904 igfxwl32.exe 2904 igfxwl32.exe 436 igfxwl32.exe 436 igfxwl32.exe 2288 igfxwl32.exe 2288 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 904 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 87 PID 2328 wrote to memory of 904 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 87 PID 2328 wrote to memory of 904 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 87 PID 2328 wrote to memory of 904 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 87 PID 2328 wrote to memory of 904 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 87 PID 2328 wrote to memory of 904 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 87 PID 2328 wrote to memory of 904 2328 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 87 PID 904 wrote to memory of 1848 904 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 92 PID 904 wrote to memory of 1848 904 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 92 PID 904 wrote to memory of 1848 904 d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe 92 PID 1848 wrote to memory of 4812 1848 igfxwl32.exe 96 PID 1848 wrote to memory of 4812 1848 igfxwl32.exe 96 PID 1848 wrote to memory of 4812 1848 igfxwl32.exe 96 PID 1848 wrote to memory of 4812 1848 igfxwl32.exe 96 PID 1848 wrote to memory of 4812 1848 igfxwl32.exe 96 PID 1848 wrote to memory of 4812 1848 igfxwl32.exe 96 PID 1848 wrote to memory of 4812 1848 igfxwl32.exe 96 PID 4812 wrote to memory of 468 4812 igfxwl32.exe 97 PID 4812 wrote to memory of 468 4812 igfxwl32.exe 97 PID 4812 wrote to memory of 468 4812 igfxwl32.exe 97 PID 468 wrote to memory of 2600 468 igfxwl32.exe 98 PID 468 wrote to memory of 2600 468 igfxwl32.exe 98 PID 468 wrote to memory of 2600 468 igfxwl32.exe 98 PID 468 wrote to memory of 2600 468 igfxwl32.exe 98 PID 468 wrote to memory of 2600 468 igfxwl32.exe 98 PID 468 wrote to memory of 2600 468 igfxwl32.exe 98 PID 468 wrote to memory of 2600 468 igfxwl32.exe 98 PID 2600 wrote to memory of 4512 2600 igfxwl32.exe 99 PID 2600 wrote to memory of 4512 2600 igfxwl32.exe 99 PID 2600 wrote to memory of 4512 2600 igfxwl32.exe 99 PID 4512 wrote to memory of 3644 4512 igfxwl32.exe 102 PID 4512 wrote to memory of 3644 4512 igfxwl32.exe 102 PID 4512 wrote to memory of 3644 4512 igfxwl32.exe 102 PID 4512 wrote to memory of 3644 4512 igfxwl32.exe 102 PID 4512 wrote to memory of 3644 4512 igfxwl32.exe 102 PID 4512 wrote to memory of 3644 4512 igfxwl32.exe 102 PID 4512 wrote to memory of 3644 4512 igfxwl32.exe 102 PID 3644 wrote to memory of 3664 3644 igfxwl32.exe 103 PID 3644 wrote to memory of 3664 3644 igfxwl32.exe 103 PID 3644 wrote to memory of 3664 3644 igfxwl32.exe 103 PID 3664 wrote to memory of 4616 3664 igfxwl32.exe 104 PID 3664 wrote to memory of 4616 3664 igfxwl32.exe 104 PID 3664 wrote to memory of 4616 3664 igfxwl32.exe 104 PID 3664 wrote to memory of 4616 3664 igfxwl32.exe 104 PID 3664 wrote to memory of 4616 3664 igfxwl32.exe 104 PID 3664 wrote to memory of 4616 3664 igfxwl32.exe 104 PID 3664 wrote to memory of 4616 3664 igfxwl32.exe 104 PID 4616 wrote to memory of 3852 4616 igfxwl32.exe 105 PID 4616 wrote to memory of 3852 4616 igfxwl32.exe 105 PID 4616 wrote to memory of 3852 4616 igfxwl32.exe 105 PID 3852 wrote to memory of 3972 3852 igfxwl32.exe 106 PID 3852 wrote to memory of 3972 3852 igfxwl32.exe 106 PID 3852 wrote to memory of 3972 3852 igfxwl32.exe 106 PID 3852 wrote to memory of 3972 3852 igfxwl32.exe 106 PID 3852 wrote to memory of 3972 3852 igfxwl32.exe 106 PID 3852 wrote to memory of 3972 3852 igfxwl32.exe 106 PID 3852 wrote to memory of 3972 3852 igfxwl32.exe 106 PID 3972 wrote to memory of 4796 3972 igfxwl32.exe 107 PID 3972 wrote to memory of 4796 3972 igfxwl32.exe 107 PID 3972 wrote to memory of 4796 3972 igfxwl32.exe 107 PID 4796 wrote to memory of 4384 4796 igfxwl32.exe 108 PID 4796 wrote to memory of 4384 4796 igfxwl32.exe 108 PID 4796 wrote to memory of 4384 4796 igfxwl32.exe 108 PID 4796 wrote to memory of 4384 4796 igfxwl32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d70bbffde1f96f0d0afc95c46e6847f7_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\D70BBF~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\D70BBF~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1044 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4080 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4108 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1772 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4116 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2904 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:436 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4676 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe35⤵PID:1812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5d70bbffde1f96f0d0afc95c46e6847f7
SHA1bdcbdda140a2c5e860d2e49ddd174f34aaa37cef
SHA2564c2b68261c4bbd54a019852de5495f6791afe4a79b8a51f9e41a0515e4be2ad7
SHA512114e7e75c36edf741fc8e624a5649ec4b37610408787608bbcc83a251e494aae081f3e836b8f20908ef6456d86ffa104b561c633e4db8c9066b88513f279d689