Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 19:27
Behavioral task
behavioral1
Sample
e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
General
-
Target
e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe
-
Size
221KB
-
MD5
e0e101b3dc7d15a997ef35684bd6f504
-
SHA1
2e5a8d20e207bfbe0dcaf071a016fe0441b59eb0
-
SHA256
c929a1360f1d25b26c8a5a0290977ed24b0dda95f06fcbd9e4f640b6c2a6fba8
-
SHA512
395cb8d9a934d709b455ffac565406e872bbe356e63093c139ac6b9d883894b54a0c900d5dfb6aa31ea4b03f41ce94b40bfa42ca80077a77cf802aa49766d3cf
-
SSDEEP
6144:pS7HStLy75Zn5YY6o7arhQ+BPyJnKMsjW5k5B9DFkeQFE7GrQ:ozStu75Z5xPyYJnD05JZwaGr
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2884 igfxtsm32.exe -
Executes dropped EXE 32 IoCs
pid Process 2884 igfxtsm32.exe 2712 igfxtsm32.exe 2192 igfxtsm32.exe 2508 igfxtsm32.exe 2964 igfxtsm32.exe 2864 igfxtsm32.exe 1788 igfxtsm32.exe 848 igfxtsm32.exe 2240 igfxtsm32.exe 2136 igfxtsm32.exe 340 igfxtsm32.exe 1448 igfxtsm32.exe 2224 igfxtsm32.exe 1688 igfxtsm32.exe 1520 igfxtsm32.exe 2352 igfxtsm32.exe 1312 igfxtsm32.exe 1680 igfxtsm32.exe 2752 igfxtsm32.exe 2596 igfxtsm32.exe 2592 igfxtsm32.exe 1908 igfxtsm32.exe 2356 igfxtsm32.exe 2856 igfxtsm32.exe 1432 igfxtsm32.exe 2944 igfxtsm32.exe 2436 igfxtsm32.exe 760 igfxtsm32.exe 604 igfxtsm32.exe 568 igfxtsm32.exe 1472 igfxtsm32.exe 2180 igfxtsm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2472 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe 2472 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe 2884 igfxtsm32.exe 2884 igfxtsm32.exe 2712 igfxtsm32.exe 2712 igfxtsm32.exe 2192 igfxtsm32.exe 2192 igfxtsm32.exe 2508 igfxtsm32.exe 2508 igfxtsm32.exe 2964 igfxtsm32.exe 2964 igfxtsm32.exe 2864 igfxtsm32.exe 2864 igfxtsm32.exe 1788 igfxtsm32.exe 1788 igfxtsm32.exe 848 igfxtsm32.exe 848 igfxtsm32.exe 2240 igfxtsm32.exe 2240 igfxtsm32.exe 2136 igfxtsm32.exe 2136 igfxtsm32.exe 340 igfxtsm32.exe 340 igfxtsm32.exe 1448 igfxtsm32.exe 1448 igfxtsm32.exe 2224 igfxtsm32.exe 2224 igfxtsm32.exe 1688 igfxtsm32.exe 1688 igfxtsm32.exe 1520 igfxtsm32.exe 1520 igfxtsm32.exe 2352 igfxtsm32.exe 2352 igfxtsm32.exe 1312 igfxtsm32.exe 1312 igfxtsm32.exe 1680 igfxtsm32.exe 1680 igfxtsm32.exe 2752 igfxtsm32.exe 2752 igfxtsm32.exe 2596 igfxtsm32.exe 2596 igfxtsm32.exe 2592 igfxtsm32.exe 2592 igfxtsm32.exe 1908 igfxtsm32.exe 1908 igfxtsm32.exe 2356 igfxtsm32.exe 2356 igfxtsm32.exe 2856 igfxtsm32.exe 2856 igfxtsm32.exe 1432 igfxtsm32.exe 1432 igfxtsm32.exe 2944 igfxtsm32.exe 2944 igfxtsm32.exe 2436 igfxtsm32.exe 2436 igfxtsm32.exe 760 igfxtsm32.exe 760 igfxtsm32.exe 604 igfxtsm32.exe 604 igfxtsm32.exe 568 igfxtsm32.exe 568 igfxtsm32.exe 1472 igfxtsm32.exe 1472 igfxtsm32.exe -
resource yara_rule behavioral1/files/0x00080000000120ff-8.dat upx behavioral1/memory/2884-21-0x0000000004EA0000-0x0000000005213000-memory.dmp upx behavioral1/memory/2192-33-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/2964-46-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/2508-42-0x0000000004D10000-0x0000000005083000-memory.dmp upx behavioral1/memory/2864-52-0x0000000000400000-0x0000000000773000-memory.dmp upx behavioral1/memory/2964-51-0x0000000004DC0000-0x0000000005133000-memory.dmp upx behavioral1/memory/1788-61-0x0000000000400000-0x0000000000773000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxtsm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File created C:\Windows\SysWOW64\igfxtsm32.exe igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe File opened for modification C:\Windows\SysWOW64\ igfxtsm32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxtsm32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2472 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe 2472 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe 2884 igfxtsm32.exe 2884 igfxtsm32.exe 2712 igfxtsm32.exe 2712 igfxtsm32.exe 2192 igfxtsm32.exe 2192 igfxtsm32.exe 2508 igfxtsm32.exe 2508 igfxtsm32.exe 2964 igfxtsm32.exe 2964 igfxtsm32.exe 2864 igfxtsm32.exe 2864 igfxtsm32.exe 1788 igfxtsm32.exe 1788 igfxtsm32.exe 848 igfxtsm32.exe 848 igfxtsm32.exe 2240 igfxtsm32.exe 2240 igfxtsm32.exe 2136 igfxtsm32.exe 2136 igfxtsm32.exe 340 igfxtsm32.exe 340 igfxtsm32.exe 1448 igfxtsm32.exe 1448 igfxtsm32.exe 2224 igfxtsm32.exe 2224 igfxtsm32.exe 1688 igfxtsm32.exe 1688 igfxtsm32.exe 1520 igfxtsm32.exe 1520 igfxtsm32.exe 2352 igfxtsm32.exe 2352 igfxtsm32.exe 1312 igfxtsm32.exe 1312 igfxtsm32.exe 1680 igfxtsm32.exe 1680 igfxtsm32.exe 2752 igfxtsm32.exe 2752 igfxtsm32.exe 2596 igfxtsm32.exe 2596 igfxtsm32.exe 2592 igfxtsm32.exe 2592 igfxtsm32.exe 1908 igfxtsm32.exe 1908 igfxtsm32.exe 2356 igfxtsm32.exe 2356 igfxtsm32.exe 2856 igfxtsm32.exe 2856 igfxtsm32.exe 1432 igfxtsm32.exe 1432 igfxtsm32.exe 2944 igfxtsm32.exe 2944 igfxtsm32.exe 2436 igfxtsm32.exe 2436 igfxtsm32.exe 760 igfxtsm32.exe 760 igfxtsm32.exe 604 igfxtsm32.exe 604 igfxtsm32.exe 568 igfxtsm32.exe 568 igfxtsm32.exe 1472 igfxtsm32.exe 1472 igfxtsm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2884 2472 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe 30 PID 2472 wrote to memory of 2884 2472 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe 30 PID 2472 wrote to memory of 2884 2472 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe 30 PID 2472 wrote to memory of 2884 2472 e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe 30 PID 2884 wrote to memory of 2712 2884 igfxtsm32.exe 31 PID 2884 wrote to memory of 2712 2884 igfxtsm32.exe 31 PID 2884 wrote to memory of 2712 2884 igfxtsm32.exe 31 PID 2884 wrote to memory of 2712 2884 igfxtsm32.exe 31 PID 2712 wrote to memory of 2192 2712 igfxtsm32.exe 32 PID 2712 wrote to memory of 2192 2712 igfxtsm32.exe 32 PID 2712 wrote to memory of 2192 2712 igfxtsm32.exe 32 PID 2712 wrote to memory of 2192 2712 igfxtsm32.exe 32 PID 2192 wrote to memory of 2508 2192 igfxtsm32.exe 33 PID 2192 wrote to memory of 2508 2192 igfxtsm32.exe 33 PID 2192 wrote to memory of 2508 2192 igfxtsm32.exe 33 PID 2192 wrote to memory of 2508 2192 igfxtsm32.exe 33 PID 2508 wrote to memory of 2964 2508 igfxtsm32.exe 35 PID 2508 wrote to memory of 2964 2508 igfxtsm32.exe 35 PID 2508 wrote to memory of 2964 2508 igfxtsm32.exe 35 PID 2508 wrote to memory of 2964 2508 igfxtsm32.exe 35 PID 2964 wrote to memory of 2864 2964 igfxtsm32.exe 36 PID 2964 wrote to memory of 2864 2964 igfxtsm32.exe 36 PID 2964 wrote to memory of 2864 2964 igfxtsm32.exe 36 PID 2964 wrote to memory of 2864 2964 igfxtsm32.exe 36 PID 2864 wrote to memory of 1788 2864 igfxtsm32.exe 37 PID 2864 wrote to memory of 1788 2864 igfxtsm32.exe 37 PID 2864 wrote to memory of 1788 2864 igfxtsm32.exe 37 PID 2864 wrote to memory of 1788 2864 igfxtsm32.exe 37 PID 1788 wrote to memory of 848 1788 igfxtsm32.exe 38 PID 1788 wrote to memory of 848 1788 igfxtsm32.exe 38 PID 1788 wrote to memory of 848 1788 igfxtsm32.exe 38 PID 1788 wrote to memory of 848 1788 igfxtsm32.exe 38 PID 848 wrote to memory of 2240 848 igfxtsm32.exe 39 PID 848 wrote to memory of 2240 848 igfxtsm32.exe 39 PID 848 wrote to memory of 2240 848 igfxtsm32.exe 39 PID 848 wrote to memory of 2240 848 igfxtsm32.exe 39 PID 2240 wrote to memory of 2136 2240 igfxtsm32.exe 40 PID 2240 wrote to memory of 2136 2240 igfxtsm32.exe 40 PID 2240 wrote to memory of 2136 2240 igfxtsm32.exe 40 PID 2240 wrote to memory of 2136 2240 igfxtsm32.exe 40 PID 2136 wrote to memory of 340 2136 igfxtsm32.exe 41 PID 2136 wrote to memory of 340 2136 igfxtsm32.exe 41 PID 2136 wrote to memory of 340 2136 igfxtsm32.exe 41 PID 2136 wrote to memory of 340 2136 igfxtsm32.exe 41 PID 340 wrote to memory of 1448 340 igfxtsm32.exe 42 PID 340 wrote to memory of 1448 340 igfxtsm32.exe 42 PID 340 wrote to memory of 1448 340 igfxtsm32.exe 42 PID 340 wrote to memory of 1448 340 igfxtsm32.exe 42 PID 1448 wrote to memory of 2224 1448 igfxtsm32.exe 43 PID 1448 wrote to memory of 2224 1448 igfxtsm32.exe 43 PID 1448 wrote to memory of 2224 1448 igfxtsm32.exe 43 PID 1448 wrote to memory of 2224 1448 igfxtsm32.exe 43 PID 2224 wrote to memory of 1688 2224 igfxtsm32.exe 44 PID 2224 wrote to memory of 1688 2224 igfxtsm32.exe 44 PID 2224 wrote to memory of 1688 2224 igfxtsm32.exe 44 PID 2224 wrote to memory of 1688 2224 igfxtsm32.exe 44 PID 1688 wrote to memory of 1520 1688 igfxtsm32.exe 45 PID 1688 wrote to memory of 1520 1688 igfxtsm32.exe 45 PID 1688 wrote to memory of 1520 1688 igfxtsm32.exe 45 PID 1688 wrote to memory of 1520 1688 igfxtsm32.exe 45 PID 1520 wrote to memory of 2352 1520 igfxtsm32.exe 46 PID 1520 wrote to memory of 2352 1520 igfxtsm32.exe 46 PID 1520 wrote to memory of 2352 1520 igfxtsm32.exe 46 PID 1520 wrote to memory of 2352 1520 igfxtsm32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e0e101b3dc7d15a997ef35684bd6f504_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Users\Admin\AppData\Local\Temp\E0E101~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2352 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1312 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1680 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2596 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1908 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2356 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2856 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1432 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2944 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2436 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE29⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:760 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:604 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE31⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:568 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\SysWOW64\igfxtsm32.exe"C:\Windows\system32\igfxtsm32.exe" C:\Windows\SysWOW64\IGFXTS~1.EXE33⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
PID:2180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD5e0e101b3dc7d15a997ef35684bd6f504
SHA12e5a8d20e207bfbe0dcaf071a016fe0441b59eb0
SHA256c929a1360f1d25b26c8a5a0290977ed24b0dda95f06fcbd9e4f640b6c2a6fba8
SHA512395cb8d9a934d709b455ffac565406e872bbe356e63093c139ac6b9d883894b54a0c900d5dfb6aa31ea4b03f41ce94b40bfa42ca80077a77cf802aa49766d3cf