Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 06:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe
-
Size
172KB
-
MD5
d7b48de67ccb831c7f7affbdb3f0d036
-
SHA1
f8052c9de58970c57cf64fa35fffa0c156b3515b
-
SHA256
364b6f98b3ce4ca5591247526477a8580653ec6e61a8bd1eee09d5e678f9e31b
-
SHA512
d5cb142de15e2bd68c8fe9ba70120661c1f7c9df5bd8ac80f4a9fd9dcf30efb1d47aa0d19641e4b7d71cea14761678eaf09a506dadd4cda6e09b53618f5a6394
-
SSDEEP
3072:3Xi6q0Y+kC8OoxD3y4rWnyDUot9jhYTOFDjy5EW37szsbkRawiopfvE:3iTC8f1yO6yDUoDVYTzEWLsgbqaMpfc
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation igfxpk32.exe -
Deletes itself 1 IoCs
pid Process 4972 igfxpk32.exe -
Executes dropped EXE 32 IoCs
pid Process 3012 igfxpk32.exe 4972 igfxpk32.exe 2308 igfxpk32.exe 3492 igfxpk32.exe 3660 igfxpk32.exe 4736 igfxpk32.exe 5072 igfxpk32.exe 1260 igfxpk32.exe 3592 igfxpk32.exe 3548 igfxpk32.exe 2868 igfxpk32.exe 3828 igfxpk32.exe 3864 igfxpk32.exe 1944 igfxpk32.exe 216 igfxpk32.exe 2144 igfxpk32.exe 1604 igfxpk32.exe 4980 igfxpk32.exe 916 igfxpk32.exe 1616 igfxpk32.exe 4528 igfxpk32.exe 4232 igfxpk32.exe 3196 igfxpk32.exe 1424 igfxpk32.exe 2252 igfxpk32.exe 4312 igfxpk32.exe 532 igfxpk32.exe 1752 igfxpk32.exe 2328 igfxpk32.exe 4832 igfxpk32.exe 2644 igfxpk32.exe 712 igfxpk32.exe -
resource yara_rule behavioral2/memory/1708-0-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1708-2-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1708-3-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1708-4-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1708-38-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4972-43-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4972-45-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4972-44-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4972-46-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/3492-54-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4736-62-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1260-68-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/3548-76-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/3828-82-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1944-92-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/2144-98-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4980-105-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1616-112-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4232-119-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1424-128-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4312-136-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1752-144-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4832-152-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/712-160-0x0000000032570000-0x00000000325D6000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2728 set thread context of 1708 2728 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 92 PID 3012 set thread context of 4972 3012 igfxpk32.exe 97 PID 2308 set thread context of 3492 2308 igfxpk32.exe 99 PID 3660 set thread context of 4736 3660 igfxpk32.exe 103 PID 5072 set thread context of 1260 5072 igfxpk32.exe 105 PID 3592 set thread context of 3548 3592 igfxpk32.exe 107 PID 3864 set thread context of 1944 3864 igfxpk32.exe 111 PID 216 set thread context of 2144 216 igfxpk32.exe 113 PID 1604 set thread context of 4980 1604 igfxpk32.exe 115 PID 916 set thread context of 1616 916 igfxpk32.exe 117 PID 4528 set thread context of 4232 4528 igfxpk32.exe 119 PID 3196 set thread context of 1424 3196 igfxpk32.exe 121 PID 2252 set thread context of 4312 2252 igfxpk32.exe 123 PID 532 set thread context of 1752 532 igfxpk32.exe 125 PID 2328 set thread context of 4832 2328 igfxpk32.exe 127 PID 2644 set thread context of 712 2644 igfxpk32.exe 129 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1708 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 1708 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 1708 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 1708 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 4972 igfxpk32.exe 4972 igfxpk32.exe 4972 igfxpk32.exe 4972 igfxpk32.exe 3492 igfxpk32.exe 3492 igfxpk32.exe 3492 igfxpk32.exe 3492 igfxpk32.exe 4736 igfxpk32.exe 4736 igfxpk32.exe 4736 igfxpk32.exe 4736 igfxpk32.exe 1260 igfxpk32.exe 1260 igfxpk32.exe 1260 igfxpk32.exe 1260 igfxpk32.exe 3548 igfxpk32.exe 3548 igfxpk32.exe 3548 igfxpk32.exe 3548 igfxpk32.exe 3828 igfxpk32.exe 3828 igfxpk32.exe 3828 igfxpk32.exe 3828 igfxpk32.exe 1944 igfxpk32.exe 1944 igfxpk32.exe 1944 igfxpk32.exe 1944 igfxpk32.exe 2144 igfxpk32.exe 2144 igfxpk32.exe 2144 igfxpk32.exe 2144 igfxpk32.exe 4980 igfxpk32.exe 4980 igfxpk32.exe 4980 igfxpk32.exe 4980 igfxpk32.exe 1616 igfxpk32.exe 1616 igfxpk32.exe 1616 igfxpk32.exe 1616 igfxpk32.exe 4232 igfxpk32.exe 4232 igfxpk32.exe 4232 igfxpk32.exe 4232 igfxpk32.exe 1424 igfxpk32.exe 1424 igfxpk32.exe 1424 igfxpk32.exe 1424 igfxpk32.exe 4312 igfxpk32.exe 4312 igfxpk32.exe 4312 igfxpk32.exe 4312 igfxpk32.exe 1752 igfxpk32.exe 1752 igfxpk32.exe 1752 igfxpk32.exe 1752 igfxpk32.exe 4832 igfxpk32.exe 4832 igfxpk32.exe 4832 igfxpk32.exe 4832 igfxpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2728 wrote to memory of 1708 2728 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 92 PID 2728 wrote to memory of 1708 2728 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 92 PID 2728 wrote to memory of 1708 2728 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 92 PID 2728 wrote to memory of 1708 2728 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 92 PID 2728 wrote to memory of 1708 2728 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 92 PID 2728 wrote to memory of 1708 2728 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 92 PID 2728 wrote to memory of 1708 2728 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 92 PID 1708 wrote to memory of 3012 1708 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 94 PID 1708 wrote to memory of 3012 1708 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 94 PID 1708 wrote to memory of 3012 1708 d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe 94 PID 3012 wrote to memory of 4972 3012 igfxpk32.exe 97 PID 3012 wrote to memory of 4972 3012 igfxpk32.exe 97 PID 3012 wrote to memory of 4972 3012 igfxpk32.exe 97 PID 3012 wrote to memory of 4972 3012 igfxpk32.exe 97 PID 3012 wrote to memory of 4972 3012 igfxpk32.exe 97 PID 3012 wrote to memory of 4972 3012 igfxpk32.exe 97 PID 3012 wrote to memory of 4972 3012 igfxpk32.exe 97 PID 4972 wrote to memory of 2308 4972 igfxpk32.exe 98 PID 4972 wrote to memory of 2308 4972 igfxpk32.exe 98 PID 4972 wrote to memory of 2308 4972 igfxpk32.exe 98 PID 2308 wrote to memory of 3492 2308 igfxpk32.exe 99 PID 2308 wrote to memory of 3492 2308 igfxpk32.exe 99 PID 2308 wrote to memory of 3492 2308 igfxpk32.exe 99 PID 2308 wrote to memory of 3492 2308 igfxpk32.exe 99 PID 2308 wrote to memory of 3492 2308 igfxpk32.exe 99 PID 2308 wrote to memory of 3492 2308 igfxpk32.exe 99 PID 2308 wrote to memory of 3492 2308 igfxpk32.exe 99 PID 3492 wrote to memory of 3660 3492 igfxpk32.exe 100 PID 3492 wrote to memory of 3660 3492 igfxpk32.exe 100 PID 3492 wrote to memory of 3660 3492 igfxpk32.exe 100 PID 3660 wrote to memory of 4736 3660 igfxpk32.exe 103 PID 3660 wrote to memory of 4736 3660 igfxpk32.exe 103 PID 3660 wrote to memory of 4736 3660 igfxpk32.exe 103 PID 3660 wrote to memory of 4736 3660 igfxpk32.exe 103 PID 3660 wrote to memory of 4736 3660 igfxpk32.exe 103 PID 3660 wrote to memory of 4736 3660 igfxpk32.exe 103 PID 3660 wrote to memory of 4736 3660 igfxpk32.exe 103 PID 4736 wrote to memory of 5072 4736 igfxpk32.exe 104 PID 4736 wrote to memory of 5072 4736 igfxpk32.exe 104 PID 4736 wrote to memory of 5072 4736 igfxpk32.exe 104 PID 5072 wrote to memory of 1260 5072 igfxpk32.exe 105 PID 5072 wrote to memory of 1260 5072 igfxpk32.exe 105 PID 5072 wrote to memory of 1260 5072 igfxpk32.exe 105 PID 5072 wrote to memory of 1260 5072 igfxpk32.exe 105 PID 5072 wrote to memory of 1260 5072 igfxpk32.exe 105 PID 5072 wrote to memory of 1260 5072 igfxpk32.exe 105 PID 5072 wrote to memory of 1260 5072 igfxpk32.exe 105 PID 1260 wrote to memory of 3592 1260 igfxpk32.exe 106 PID 1260 wrote to memory of 3592 1260 igfxpk32.exe 106 PID 1260 wrote to memory of 3592 1260 igfxpk32.exe 106 PID 3592 wrote to memory of 3548 3592 igfxpk32.exe 107 PID 3592 wrote to memory of 3548 3592 igfxpk32.exe 107 PID 3592 wrote to memory of 3548 3592 igfxpk32.exe 107 PID 3592 wrote to memory of 3548 3592 igfxpk32.exe 107 PID 3592 wrote to memory of 3548 3592 igfxpk32.exe 107 PID 3592 wrote to memory of 3548 3592 igfxpk32.exe 107 PID 3592 wrote to memory of 3548 3592 igfxpk32.exe 107 PID 3548 wrote to memory of 2868 3548 igfxpk32.exe 108 PID 3548 wrote to memory of 2868 3548 igfxpk32.exe 108 PID 3548 wrote to memory of 2868 3548 igfxpk32.exe 108 PID 3828 wrote to memory of 3864 3828 igfxpk32.exe 110 PID 3828 wrote to memory of 3864 3828 igfxpk32.exe 110 PID 3828 wrote to memory of 3864 3828 igfxpk32.exe 110 PID 3864 wrote to memory of 1944 3864 igfxpk32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7b48de67ccb831c7f7affbdb3f0d036_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\D7B48D~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\D7B48D~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:216 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4980 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4232 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3196 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1424 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4312 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1752 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4832 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe35⤵PID:3884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5d7b48de67ccb831c7f7affbdb3f0d036
SHA1f8052c9de58970c57cf64fa35fffa0c156b3515b
SHA256364b6f98b3ce4ca5591247526477a8580653ec6e61a8bd1eee09d5e678f9e31b
SHA512d5cb142de15e2bd68c8fe9ba70120661c1f7c9df5bd8ac80f4a9fd9dcf30efb1d47aa0d19641e4b7d71cea14761678eaf09a506dadd4cda6e09b53618f5a6394