Analysis
-
max time kernel
148s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 09:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe
-
Size
140KB
-
MD5
de2727d13e7f40cc89df6f76873ae5eb
-
SHA1
7793c43511b337787e46226b8ab742470082e640
-
SHA256
8147046c842df9bc9ac5bd88726dde13111b14137806dc6e3256bc10ed90bcd7
-
SHA512
96ed692915650ed377f5a5afcbc9f411b34c9337f4e5354592a5e9c219a8ae487645f922ef2b405dcb588a5fbf0af58f0da7bf1aba4074f2364c0dc149e60f36
-
SSDEEP
3072:3WEd1WlwiHzjIToNykjt10BuW5X9+PxeD7bxudz0SOtgNnchV2ewZx3:GY+nIOxjt10sWl4XdzdagNnewewZt
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxck32.exe -
Deletes itself 1 IoCs
pid Process 916 igfxck32.exe -
Executes dropped EXE 32 IoCs
pid Process 3516 igfxck32.exe 916 igfxck32.exe 5104 igfxck32.exe 5100 igfxck32.exe 4276 igfxck32.exe 5068 igfxck32.exe 4480 igfxck32.exe 996 igfxck32.exe 828 igfxck32.exe 3932 igfxck32.exe 2820 igfxck32.exe 2876 igfxck32.exe 2132 igfxck32.exe 3920 igfxck32.exe 4236 igfxck32.exe 3292 igfxck32.exe 2192 igfxck32.exe 3648 igfxck32.exe 4040 igfxck32.exe 1420 igfxck32.exe 2316 igfxck32.exe 1828 igfxck32.exe 1820 igfxck32.exe 2112 igfxck32.exe 3120 igfxck32.exe 2200 igfxck32.exe 1580 igfxck32.exe 4504 igfxck32.exe 2656 igfxck32.exe 5072 igfxck32.exe 4252 igfxck32.exe 2812 igfxck32.exe -
resource yara_rule behavioral2/memory/4868-0-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4868-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4868-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4868-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4868-32-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/916-44-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4868-45-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/916-47-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/916-54-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/5100-59-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/5100-62-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/5068-67-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/5068-70-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/996-77-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3932-82-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3932-85-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2876-91-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2876-93-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3920-98-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3920-101-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3292-106-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3292-109-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3648-114-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3648-117-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1420-122-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1420-125-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1828-130-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1828-135-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2112-139-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2112-144-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2200-152-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4504-156-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4504-161-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/5072-165-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/5072-170-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxck32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\ igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe File opened for modification C:\Windows\SysWOW64\igfxck32.exe igfxck32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4480 set thread context of 4868 4480 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 84 PID 3516 set thread context of 916 3516 igfxck32.exe 96 PID 5104 set thread context of 5100 5104 igfxck32.exe 98 PID 4276 set thread context of 5068 4276 igfxck32.exe 100 PID 4480 set thread context of 996 4480 igfxck32.exe 104 PID 828 set thread context of 3932 828 igfxck32.exe 106 PID 2820 set thread context of 2876 2820 igfxck32.exe 108 PID 2132 set thread context of 3920 2132 igfxck32.exe 110 PID 4236 set thread context of 3292 4236 igfxck32.exe 112 PID 2192 set thread context of 3648 2192 igfxck32.exe 114 PID 4040 set thread context of 1420 4040 igfxck32.exe 116 PID 2316 set thread context of 1828 2316 igfxck32.exe 118 PID 1820 set thread context of 2112 1820 igfxck32.exe 120 PID 3120 set thread context of 2200 3120 igfxck32.exe 122 PID 1580 set thread context of 4504 1580 igfxck32.exe 124 PID 2656 set thread context of 5072 2656 igfxck32.exe 126 PID 4252 set thread context of 2812 4252 igfxck32.exe 128 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxck32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxck32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4868 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 4868 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 4868 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 4868 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 916 igfxck32.exe 916 igfxck32.exe 916 igfxck32.exe 916 igfxck32.exe 5100 igfxck32.exe 5100 igfxck32.exe 5100 igfxck32.exe 5100 igfxck32.exe 5068 igfxck32.exe 5068 igfxck32.exe 5068 igfxck32.exe 5068 igfxck32.exe 996 igfxck32.exe 996 igfxck32.exe 996 igfxck32.exe 996 igfxck32.exe 3932 igfxck32.exe 3932 igfxck32.exe 3932 igfxck32.exe 3932 igfxck32.exe 2876 igfxck32.exe 2876 igfxck32.exe 2876 igfxck32.exe 2876 igfxck32.exe 3920 igfxck32.exe 3920 igfxck32.exe 3920 igfxck32.exe 3920 igfxck32.exe 3292 igfxck32.exe 3292 igfxck32.exe 3292 igfxck32.exe 3292 igfxck32.exe 3648 igfxck32.exe 3648 igfxck32.exe 3648 igfxck32.exe 3648 igfxck32.exe 1420 igfxck32.exe 1420 igfxck32.exe 1420 igfxck32.exe 1420 igfxck32.exe 1828 igfxck32.exe 1828 igfxck32.exe 1828 igfxck32.exe 1828 igfxck32.exe 2112 igfxck32.exe 2112 igfxck32.exe 2112 igfxck32.exe 2112 igfxck32.exe 2200 igfxck32.exe 2200 igfxck32.exe 2200 igfxck32.exe 2200 igfxck32.exe 4504 igfxck32.exe 4504 igfxck32.exe 4504 igfxck32.exe 4504 igfxck32.exe 5072 igfxck32.exe 5072 igfxck32.exe 5072 igfxck32.exe 5072 igfxck32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 4868 4480 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 84 PID 4480 wrote to memory of 4868 4480 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 84 PID 4480 wrote to memory of 4868 4480 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 84 PID 4480 wrote to memory of 4868 4480 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 84 PID 4480 wrote to memory of 4868 4480 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 84 PID 4480 wrote to memory of 4868 4480 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 84 PID 4480 wrote to memory of 4868 4480 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 84 PID 4868 wrote to memory of 3516 4868 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 93 PID 4868 wrote to memory of 3516 4868 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 93 PID 4868 wrote to memory of 3516 4868 de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe 93 PID 3516 wrote to memory of 916 3516 igfxck32.exe 96 PID 3516 wrote to memory of 916 3516 igfxck32.exe 96 PID 3516 wrote to memory of 916 3516 igfxck32.exe 96 PID 3516 wrote to memory of 916 3516 igfxck32.exe 96 PID 3516 wrote to memory of 916 3516 igfxck32.exe 96 PID 3516 wrote to memory of 916 3516 igfxck32.exe 96 PID 3516 wrote to memory of 916 3516 igfxck32.exe 96 PID 916 wrote to memory of 5104 916 igfxck32.exe 97 PID 916 wrote to memory of 5104 916 igfxck32.exe 97 PID 916 wrote to memory of 5104 916 igfxck32.exe 97 PID 5104 wrote to memory of 5100 5104 igfxck32.exe 98 PID 5104 wrote to memory of 5100 5104 igfxck32.exe 98 PID 5104 wrote to memory of 5100 5104 igfxck32.exe 98 PID 5104 wrote to memory of 5100 5104 igfxck32.exe 98 PID 5104 wrote to memory of 5100 5104 igfxck32.exe 98 PID 5104 wrote to memory of 5100 5104 igfxck32.exe 98 PID 5104 wrote to memory of 5100 5104 igfxck32.exe 98 PID 5100 wrote to memory of 4276 5100 igfxck32.exe 99 PID 5100 wrote to memory of 4276 5100 igfxck32.exe 99 PID 5100 wrote to memory of 4276 5100 igfxck32.exe 99 PID 4276 wrote to memory of 5068 4276 igfxck32.exe 100 PID 4276 wrote to memory of 5068 4276 igfxck32.exe 100 PID 4276 wrote to memory of 5068 4276 igfxck32.exe 100 PID 4276 wrote to memory of 5068 4276 igfxck32.exe 100 PID 4276 wrote to memory of 5068 4276 igfxck32.exe 100 PID 4276 wrote to memory of 5068 4276 igfxck32.exe 100 PID 4276 wrote to memory of 5068 4276 igfxck32.exe 100 PID 5068 wrote to memory of 4480 5068 igfxck32.exe 103 PID 5068 wrote to memory of 4480 5068 igfxck32.exe 103 PID 5068 wrote to memory of 4480 5068 igfxck32.exe 103 PID 4480 wrote to memory of 996 4480 igfxck32.exe 104 PID 4480 wrote to memory of 996 4480 igfxck32.exe 104 PID 4480 wrote to memory of 996 4480 igfxck32.exe 104 PID 4480 wrote to memory of 996 4480 igfxck32.exe 104 PID 4480 wrote to memory of 996 4480 igfxck32.exe 104 PID 4480 wrote to memory of 996 4480 igfxck32.exe 104 PID 4480 wrote to memory of 996 4480 igfxck32.exe 104 PID 996 wrote to memory of 828 996 igfxck32.exe 105 PID 996 wrote to memory of 828 996 igfxck32.exe 105 PID 996 wrote to memory of 828 996 igfxck32.exe 105 PID 828 wrote to memory of 3932 828 igfxck32.exe 106 PID 828 wrote to memory of 3932 828 igfxck32.exe 106 PID 828 wrote to memory of 3932 828 igfxck32.exe 106 PID 828 wrote to memory of 3932 828 igfxck32.exe 106 PID 828 wrote to memory of 3932 828 igfxck32.exe 106 PID 828 wrote to memory of 3932 828 igfxck32.exe 106 PID 828 wrote to memory of 3932 828 igfxck32.exe 106 PID 3932 wrote to memory of 2820 3932 igfxck32.exe 107 PID 3932 wrote to memory of 2820 3932 igfxck32.exe 107 PID 3932 wrote to memory of 2820 3932 igfxck32.exe 107 PID 2820 wrote to memory of 2876 2820 igfxck32.exe 108 PID 2820 wrote to memory of 2876 2820 igfxck32.exe 108 PID 2820 wrote to memory of 2876 2820 igfxck32.exe 108 PID 2820 wrote to memory of 2876 2820 igfxck32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de2727d13e7f40cc89df6f76873ae5eb_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Users\Admin\AppData\Local\Temp\DE2727~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Users\Admin\AppData\Local\Temp\DE2727~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2876 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3920 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3292 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3648 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1828 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2112 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2200 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4504 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5072 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\igfxck32.exe"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5de2727d13e7f40cc89df6f76873ae5eb
SHA17793c43511b337787e46226b8ab742470082e640
SHA2568147046c842df9bc9ac5bd88726dde13111b14137806dc6e3256bc10ed90bcd7
SHA51296ed692915650ed377f5a5afcbc9f411b34c9337f4e5354592a5e9c219a8ae487645f922ef2b405dcb588a5fbf0af58f0da7bf1aba4074f2364c0dc149e60f36