Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 06:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe
-
Size
172KB
-
MD5
d7b48de67ccb831c7f7affbdb3f0d036
-
SHA1
f8052c9de58970c57cf64fa35fffa0c156b3515b
-
SHA256
364b6f98b3ce4ca5591247526477a8580653ec6e61a8bd1eee09d5e678f9e31b
-
SHA512
d5cb142de15e2bd68c8fe9ba70120661c1f7c9df5bd8ac80f4a9fd9dcf30efb1d47aa0d19641e4b7d71cea14761678eaf09a506dadd4cda6e09b53618f5a6394
-
SSDEEP
3072:3Xi6q0Y+kC8OoxD3y4rWnyDUot9jhYTOFDjy5EW37szsbkRawiopfvE:3iTC8f1yO6yDUoDVYTzEWLsgbqaMpfc
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2636 igfxpk32.exe -
Executes dropped EXE 33 IoCs
pid Process 304 igfxpk32.exe 2636 igfxpk32.exe 2684 igfxpk32.exe 2564 igfxpk32.exe 480 igfxpk32.exe 2876 igfxpk32.exe 2584 igfxpk32.exe 492 igfxpk32.exe 1956 igfxpk32.exe 1508 igfxpk32.exe 2088 igfxpk32.exe 1640 igfxpk32.exe 1564 igfxpk32.exe 940 igfxpk32.exe 1932 igfxpk32.exe 660 igfxpk32.exe 1000 igfxpk32.exe 2076 igfxpk32.exe 1036 igfxpk32.exe 1940 igfxpk32.exe 2276 igfxpk32.exe 2808 igfxpk32.exe 2544 igfxpk32.exe 376 igfxpk32.exe 2864 igfxpk32.exe 2040 igfxpk32.exe 2848 igfxpk32.exe 1632 igfxpk32.exe 3048 igfxpk32.exe 2496 igfxpk32.exe 3000 igfxpk32.exe 1996 igfxpk32.exe 568 igfxpk32.exe -
Loads dropped DLL 17 IoCs
pid Process 2300 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 2636 igfxpk32.exe 2564 igfxpk32.exe 2876 igfxpk32.exe 492 igfxpk32.exe 1508 igfxpk32.exe 1640 igfxpk32.exe 940 igfxpk32.exe 660 igfxpk32.exe 2076 igfxpk32.exe 1940 igfxpk32.exe 2808 igfxpk32.exe 376 igfxpk32.exe 2040 igfxpk32.exe 1632 igfxpk32.exe 2496 igfxpk32.exe 1996 igfxpk32.exe -
resource yara_rule behavioral1/memory/2300-2-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2300-6-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2300-9-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2300-8-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2300-7-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2300-4-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2300-3-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2300-19-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2636-28-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2636-31-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2636-30-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2636-29-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2636-36-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2564-48-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2564-52-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2876-64-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2876-62-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2876-63-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2876-70-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/492-81-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/492-79-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/492-80-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/492-85-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1508-97-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1508-96-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1508-95-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1508-101-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1640-113-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1640-118-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/940-130-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/940-135-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/660-150-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2076-159-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2076-167-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1940-182-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2808-197-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/376-213-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2040-228-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1632-237-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1632-244-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/2496-259-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral1/memory/1996-274-0x0000000032570000-0x00000000325D6000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2060 set thread context of 2300 2060 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 31 PID 304 set thread context of 2636 304 igfxpk32.exe 33 PID 2684 set thread context of 2564 2684 igfxpk32.exe 35 PID 480 set thread context of 2876 480 igfxpk32.exe 37 PID 2584 set thread context of 492 2584 igfxpk32.exe 39 PID 1956 set thread context of 1508 1956 igfxpk32.exe 41 PID 2088 set thread context of 1640 2088 igfxpk32.exe 43 PID 1564 set thread context of 940 1564 igfxpk32.exe 45 PID 1932 set thread context of 660 1932 igfxpk32.exe 48 PID 1000 set thread context of 2076 1000 igfxpk32.exe 50 PID 1036 set thread context of 1940 1036 igfxpk32.exe 52 PID 2276 set thread context of 2808 2276 igfxpk32.exe 54 PID 2544 set thread context of 376 2544 igfxpk32.exe 56 PID 2864 set thread context of 2040 2864 igfxpk32.exe 58 PID 2848 set thread context of 1632 2848 igfxpk32.exe 60 PID 3048 set thread context of 2496 3048 igfxpk32.exe 62 PID 3000 set thread context of 1996 3000 igfxpk32.exe 64 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2300 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 2300 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 2636 igfxpk32.exe 2636 igfxpk32.exe 2564 igfxpk32.exe 2564 igfxpk32.exe 2876 igfxpk32.exe 2876 igfxpk32.exe 492 igfxpk32.exe 492 igfxpk32.exe 1508 igfxpk32.exe 1508 igfxpk32.exe 1640 igfxpk32.exe 1640 igfxpk32.exe 940 igfxpk32.exe 940 igfxpk32.exe 660 igfxpk32.exe 660 igfxpk32.exe 2076 igfxpk32.exe 2076 igfxpk32.exe 1940 igfxpk32.exe 1940 igfxpk32.exe 2808 igfxpk32.exe 2808 igfxpk32.exe 376 igfxpk32.exe 376 igfxpk32.exe 2040 igfxpk32.exe 2040 igfxpk32.exe 1632 igfxpk32.exe 1632 igfxpk32.exe 2496 igfxpk32.exe 2496 igfxpk32.exe 1996 igfxpk32.exe 1996 igfxpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2300 2060 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2300 2060 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2300 2060 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2300 2060 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2300 2060 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2300 2060 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2300 2060 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 31 PID 2300 wrote to memory of 304 2300 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 32 PID 2300 wrote to memory of 304 2300 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 32 PID 2300 wrote to memory of 304 2300 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 32 PID 2300 wrote to memory of 304 2300 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 32 PID 304 wrote to memory of 2636 304 igfxpk32.exe 33 PID 304 wrote to memory of 2636 304 igfxpk32.exe 33 PID 304 wrote to memory of 2636 304 igfxpk32.exe 33 PID 304 wrote to memory of 2636 304 igfxpk32.exe 33 PID 304 wrote to memory of 2636 304 igfxpk32.exe 33 PID 304 wrote to memory of 2636 304 igfxpk32.exe 33 PID 304 wrote to memory of 2636 304 igfxpk32.exe 33 PID 2636 wrote to memory of 2684 2636 igfxpk32.exe 34 PID 2636 wrote to memory of 2684 2636 igfxpk32.exe 34 PID 2636 wrote to memory of 2684 2636 igfxpk32.exe 34 PID 2636 wrote to memory of 2684 2636 igfxpk32.exe 34 PID 2684 wrote to memory of 2564 2684 igfxpk32.exe 35 PID 2684 wrote to memory of 2564 2684 igfxpk32.exe 35 PID 2684 wrote to memory of 2564 2684 igfxpk32.exe 35 PID 2684 wrote to memory of 2564 2684 igfxpk32.exe 35 PID 2684 wrote to memory of 2564 2684 igfxpk32.exe 35 PID 2684 wrote to memory of 2564 2684 igfxpk32.exe 35 PID 2684 wrote to memory of 2564 2684 igfxpk32.exe 35 PID 2564 wrote to memory of 480 2564 igfxpk32.exe 36 PID 2564 wrote to memory of 480 2564 igfxpk32.exe 36 PID 2564 wrote to memory of 480 2564 igfxpk32.exe 36 PID 2564 wrote to memory of 480 2564 igfxpk32.exe 36 PID 480 wrote to memory of 2876 480 igfxpk32.exe 37 PID 480 wrote to memory of 2876 480 igfxpk32.exe 37 PID 480 wrote to memory of 2876 480 igfxpk32.exe 37 PID 480 wrote to memory of 2876 480 igfxpk32.exe 37 PID 480 wrote to memory of 2876 480 igfxpk32.exe 37 PID 480 wrote to memory of 2876 480 igfxpk32.exe 37 PID 480 wrote to memory of 2876 480 igfxpk32.exe 37 PID 2876 wrote to memory of 2584 2876 igfxpk32.exe 38 PID 2876 wrote to memory of 2584 2876 igfxpk32.exe 38 PID 2876 wrote to memory of 2584 2876 igfxpk32.exe 38 PID 2876 wrote to memory of 2584 2876 igfxpk32.exe 38 PID 2584 wrote to memory of 492 2584 igfxpk32.exe 39 PID 2584 wrote to memory of 492 2584 igfxpk32.exe 39 PID 2584 wrote to memory of 492 2584 igfxpk32.exe 39 PID 2584 wrote to memory of 492 2584 igfxpk32.exe 39 PID 2584 wrote to memory of 492 2584 igfxpk32.exe 39 PID 2584 wrote to memory of 492 2584 igfxpk32.exe 39 PID 2584 wrote to memory of 492 2584 igfxpk32.exe 39 PID 492 wrote to memory of 1956 492 igfxpk32.exe 40 PID 492 wrote to memory of 1956 492 igfxpk32.exe 40 PID 492 wrote to memory of 1956 492 igfxpk32.exe 40 PID 492 wrote to memory of 1956 492 igfxpk32.exe 40 PID 1956 wrote to memory of 1508 1956 igfxpk32.exe 41 PID 1956 wrote to memory of 1508 1956 igfxpk32.exe 41 PID 1956 wrote to memory of 1508 1956 igfxpk32.exe 41 PID 1956 wrote to memory of 1508 1956 igfxpk32.exe 41 PID 1956 wrote to memory of 1508 1956 igfxpk32.exe 41 PID 1956 wrote to memory of 1508 1956 igfxpk32.exe 41 PID 1956 wrote to memory of 1508 1956 igfxpk32.exe 41 PID 1508 wrote to memory of 2088 1508 igfxpk32.exe 42 PID 1508 wrote to memory of 2088 1508 igfxpk32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\D7B48D~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\D7B48D~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:940 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:660 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2076 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1940 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:376 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1632 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2496 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe35⤵
- Executes dropped EXE
PID:568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5d7b48de67ccb831c7f7affbdb3f0d036
SHA1f8052c9de58970c57cf64fa35fffa0c156b3515b
SHA256364b6f98b3ce4ca5591247526477a8580653ec6e61a8bd1eee09d5e678f9e31b
SHA512d5cb142de15e2bd68c8fe9ba70120661c1f7c9df5bd8ac80f4a9fd9dcf30efb1d47aa0d19641e4b7d71cea14761678eaf09a506dadd4cda6e09b53618f5a6394