Analysis
-
max time kernel
149s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 09:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe
-
Size
140KB
-
MD5
de2727d13e7f40cc89df6f76873ae5eb
-
SHA1
7793c43511b337787e46226b8ab742470082e640
-
SHA256
8147046c842df9bc9ac5bd88726dde13111b14137806dc6e3256bc10ed90bcd7
-
SHA512
96ed692915650ed377f5a5afcbc9f411b34c9337f4e5354592a5e9c219a8ae487645f922ef2b405dcb588a5fbf0af58f0da7bf1aba4074f2364c0dc149e60f36
-
SSDEEP
3072:3WEd1WlwiHzjIToNykjt10BuW5X9+PxeD7bxudz0SOtgNnchV2ewZx3:GY+nIOxjt10sWl4XdzdagNnewewZt
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2920 igfxck32.exe -
Executes dropped EXE 30 IoCs
pid Process 2772 igfxck32.exe 2920 igfxck32.exe 1152 igfxck32.exe 2972 igfxck32.exe 2036 igfxck32.exe 2632 igfxck32.exe 2968 igfxck32.exe 1384 igfxck32.exe 3048 igfxck32.exe 2940 igfxck32.exe 1340 igfxck32.exe 904 igfxck32.exe 3012 igfxck32.exe 2316 igfxck32.exe 1840 igfxck32.exe 320 igfxck32.exe 2804 igfxck32.exe 2688 igfxck32.exe 2748 igfxck32.exe 2700 igfxck32.exe 1156 igfxck32.exe 2224 igfxck32.exe 1492 igfxck32.exe 568 igfxck32.exe 2836 igfxck32.exe 544 igfxck32.exe 2520 igfxck32.exe 2028 igfxck32.exe 1764 igfxck32.exe 2500 igfxck32.exe -
Loads dropped DLL 60 IoCs
pid Process 2708 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 2708 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 2772 igfxck32.exe 2772 igfxck32.exe 2920 igfxck32.exe 2920 igfxck32.exe 1152 igfxck32.exe 1152 igfxck32.exe 2972 igfxck32.exe 2972 igfxck32.exe 2036 igfxck32.exe 2036 igfxck32.exe 2632 igfxck32.exe 2632 igfxck32.exe 2968 igfxck32.exe 2968 igfxck32.exe 1384 igfxck32.exe 1384 igfxck32.exe 3048 igfxck32.exe 3048 igfxck32.exe 2940 igfxck32.exe 2940 igfxck32.exe 1340 igfxck32.exe 1340 igfxck32.exe 904 igfxck32.exe 904 igfxck32.exe 3012 igfxck32.exe 3012 igfxck32.exe 2316 igfxck32.exe 2316 igfxck32.exe 1840 igfxck32.exe 1840 igfxck32.exe 320 igfxck32.exe 320 igfxck32.exe 2804 igfxck32.exe 2804 igfxck32.exe 2688 igfxck32.exe 2688 igfxck32.exe 2748 igfxck32.exe 2748 igfxck32.exe 2700 igfxck32.exe 2700 igfxck32.exe 1156 igfxck32.exe 1156 igfxck32.exe 2224 igfxck32.exe 2224 igfxck32.exe 1492 igfxck32.exe 1492 igfxck32.exe 568 igfxck32.exe 568 igfxck32.exe 2836 igfxck32.exe 2836 igfxck32.exe 544 igfxck32.exe 544 igfxck32.exe 2520 igfxck32.exe 2520 igfxck32.exe 2028 igfxck32.exe 2028 igfxck32.exe 1764 igfxck32.exe 1764 igfxck32.exe -
resource yara_rule behavioral1/memory/2708-8-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2708-9-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2708-7-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2708-6-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2708-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2708-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2708-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2708-22-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2920-34-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2920-36-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2920-35-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2920-37-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2920-43-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2972-56-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2972-55-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2972-54-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2972-62-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2632-74-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2632-82-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1384-95-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1384-94-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1384-93-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1384-101-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2940-114-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2940-120-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/904-133-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/904-140-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2316-153-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2316-159-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/320-172-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/320-179-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2688-197-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2700-206-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2700-211-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2224-223-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/568-235-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/544-243-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/544-248-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2028-260-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxck32.exe de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2216 set thread context of 2708 2216 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 30 PID 2772 set thread context of 2920 2772 igfxck32.exe 32 PID 1152 set thread context of 2972 1152 igfxck32.exe 34 PID 2036 set thread context of 2632 2036 igfxck32.exe 36 PID 2968 set thread context of 1384 2968 igfxck32.exe 38 PID 3048 set thread context of 2940 3048 igfxck32.exe 40 PID 1340 set thread context of 904 1340 igfxck32.exe 42 PID 3012 set thread context of 2316 3012 igfxck32.exe 44 PID 1840 set thread context of 320 1840 igfxck32.exe 46 PID 2804 set thread context of 2688 2804 igfxck32.exe 49 PID 2748 set thread context of 2700 2748 igfxck32.exe 51 PID 1156 set thread context of 2224 1156 igfxck32.exe 53 PID 1492 set thread context of 568 1492 igfxck32.exe 55 PID 2836 set thread context of 544 2836 igfxck32.exe 57 PID 2520 set thread context of 2028 2520 igfxck32.exe 59 PID 1764 set thread context of 2500 1764 igfxck32.exe 61 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2708 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 2708 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 2920 igfxck32.exe 2920 igfxck32.exe 2972 igfxck32.exe 2972 igfxck32.exe 2632 igfxck32.exe 2632 igfxck32.exe 1384 igfxck32.exe 1384 igfxck32.exe 2940 igfxck32.exe 2940 igfxck32.exe 904 igfxck32.exe 904 igfxck32.exe 2316 igfxck32.exe 2316 igfxck32.exe 320 igfxck32.exe 320 igfxck32.exe 2688 igfxck32.exe 2688 igfxck32.exe 2700 igfxck32.exe 2700 igfxck32.exe 2224 igfxck32.exe 2224 igfxck32.exe 568 igfxck32.exe 568 igfxck32.exe 544 igfxck32.exe 544 igfxck32.exe 2028 igfxck32.exe 2028 igfxck32.exe 2500 igfxck32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2708 2216 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 30 PID 2216 wrote to memory of 2708 2216 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 30 PID 2216 wrote to memory of 2708 2216 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 30 PID 2216 wrote to memory of 2708 2216 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 30 PID 2216 wrote to memory of 2708 2216 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 30 PID 2216 wrote to memory of 2708 2216 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 30 PID 2216 wrote to memory of 2708 2216 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2772 2708 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 31 PID 2708 wrote to memory of 2772 2708 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 31 PID 2708 wrote to memory of 2772 2708 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 31 PID 2708 wrote to memory of 2772 2708 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 31 PID 2772 wrote to memory of 2920 2772 igfxck32.exe 32 PID 2772 wrote to memory of 2920 2772 igfxck32.exe 32 PID 2772 wrote to memory of 2920 2772 igfxck32.exe 32 PID 2772 wrote to memory of 2920 2772 igfxck32.exe 32 PID 2772 wrote to memory of 2920 2772 igfxck32.exe 32 PID 2772 wrote to memory of 2920 2772 igfxck32.exe 32 PID 2772 wrote to memory of 2920 2772 igfxck32.exe 32 PID 2920 wrote to memory of 1152 2920 igfxck32.exe 33 PID 2920 wrote to memory of 1152 2920 igfxck32.exe 33 PID 2920 wrote to memory of 1152 2920 igfxck32.exe 33 PID 2920 wrote to memory of 1152 2920 igfxck32.exe 33 PID 1152 wrote to memory of 2972 1152 igfxck32.exe 34 PID 1152 wrote to memory of 2972 1152 igfxck32.exe 34 PID 1152 wrote to memory of 2972 1152 igfxck32.exe 34 PID 1152 wrote to memory of 2972 1152 igfxck32.exe 34 PID 1152 wrote to memory of 2972 1152 igfxck32.exe 34 PID 1152 wrote to memory of 2972 1152 igfxck32.exe 34 PID 1152 wrote to memory of 2972 1152 igfxck32.exe 34 PID 2972 wrote to memory of 2036 2972 igfxck32.exe 35 PID 2972 wrote to memory of 2036 2972 igfxck32.exe 35 PID 2972 wrote to memory of 2036 2972 igfxck32.exe 35 PID 2972 wrote to memory of 2036 2972 igfxck32.exe 35 PID 2036 wrote to memory of 2632 2036 igfxck32.exe 36 PID 2036 wrote to memory of 2632 2036 igfxck32.exe 36 PID 2036 wrote to memory of 2632 2036 igfxck32.exe 36 PID 2036 wrote to memory of 2632 2036 igfxck32.exe 36 PID 2036 wrote to memory of 2632 2036 igfxck32.exe 36 PID 2036 wrote to memory of 2632 2036 igfxck32.exe 36 PID 2036 wrote to memory of 2632 2036 igfxck32.exe 36 PID 2632 wrote to memory of 2968 2632 igfxck32.exe 37 PID 2632 wrote to memory of 2968 2632 igfxck32.exe 37 PID 2632 wrote to memory of 2968 2632 igfxck32.exe 37 PID 2632 wrote to memory of 2968 2632 igfxck32.exe 37 PID 2968 wrote to memory of 1384 2968 igfxck32.exe 38 PID 2968 wrote to memory of 1384 2968 igfxck32.exe 38 PID 2968 wrote to memory of 1384 2968 igfxck32.exe 38 PID 2968 wrote to memory of 1384 2968 igfxck32.exe 38 PID 2968 wrote to memory of 1384 2968 igfxck32.exe 38 PID 2968 wrote to memory of 1384 2968 igfxck32.exe 38 PID 2968 wrote to memory of 1384 2968 igfxck32.exe 38 PID 1384 wrote to memory of 3048 1384 igfxck32.exe 39 PID 1384 wrote to memory of 3048 1384 igfxck32.exe 39 PID 1384 wrote to memory of 3048 1384 igfxck32.exe 39 PID 1384 wrote to memory of 3048 1384 igfxck32.exe 39 PID 3048 wrote to memory of 2940 3048 igfxck32.exe 40 PID 3048 wrote to memory of 2940 3048 igfxck32.exe 40 PID 3048 wrote to memory of 2940 3048 igfxck32.exe 40 PID 3048 wrote to memory of 2940 3048 igfxck32.exe 40 PID 3048 wrote to memory of 2940 3048 igfxck32.exe 40 PID 3048 wrote to memory of 2940 3048 igfxck32.exe 40 PID 3048 wrote to memory of 2940 3048 igfxck32.exe 40 PID 2940 wrote to memory of 1340 2940 igfxck32.exe 41 PID 2940 wrote to memory of 1340 2940 igfxck32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Users\Admin\AppData\Local\Temp\DE2727~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Users\Admin\AppData\Local\Temp\DE2727~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:904 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2316 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:320 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:568 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:544 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2028 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe32⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5de2727d13e7f40cc89df6f76873ae5eb
SHA17793c43511b337787e46226b8ab742470082e640
SHA2568147046c842df9bc9ac5bd88726dde13111b14137806dc6e3256bc10ed90bcd7
SHA51296ed692915650ed377f5a5afcbc9f411b34c9337f4e5354592a5e9c219a8ae487645f922ef2b405dcb588a5fbf0af58f0da7bf1aba4074f2364c0dc149e60f36