Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 21:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe
-
Size
168KB
-
MD5
e10fe5997265abe21819bf7954f90a8a
-
SHA1
480ba8706f6f17be203f54e161a15491c061f16b
-
SHA256
2e4439337d6e110c549cb61c6d8eab9c9c591f94f19a96c84397b4574f0a3ca3
-
SHA512
33c6da8432ee4db94673475916d1f16067647589a91eee6e2426d905d334d7a64a379698589bb7da760f6928fd3c8ccd4dd3ae6258e514132cdf490cf82b719a
-
SSDEEP
3072:YrNfo1ZfSD5LP3p4+OIyc6yF0Hl5aTrDq4oKnFwJIQq7WZ4UPhhC0F:Io1ZfAqKF0l5aTrbnyItihr
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxwk32.exe -
Deletes itself 1 IoCs
pid Process 3036 igfxwk32.exe -
Executes dropped EXE 29 IoCs
pid Process 3320 igfxwk32.exe 3036 igfxwk32.exe 4896 igfxwk32.exe 4336 igfxwk32.exe 2696 igfxwk32.exe 1636 igfxwk32.exe 2456 igfxwk32.exe 764 igfxwk32.exe 2132 igfxwk32.exe 768 igfxwk32.exe 2532 igfxwk32.exe 4956 igfxwk32.exe 664 igfxwk32.exe 2448 igfxwk32.exe 4200 igfxwk32.exe 4688 igfxwk32.exe 4432 igfxwk32.exe 2112 igfxwk32.exe 348 igfxwk32.exe 1212 igfxwk32.exe 3176 igfxwk32.exe 2516 igfxwk32.exe 4296 igfxwk32.exe 4456 igfxwk32.exe 4092 igfxwk32.exe 4796 igfxwk32.exe 2456 igfxwk32.exe 2040 igfxwk32.exe 3656 igfxwk32.exe -
resource yara_rule behavioral2/memory/4132-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4132-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4132-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4132-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4132-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3036-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3036-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3036-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3036-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3036-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4336-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1636-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/764-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/768-77-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4956-84-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2448-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4688-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2112-104-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1212-109-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1212-110-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1212-111-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2516-118-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4456-128-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4796-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2040-145-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwk32.exe e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 2720 set thread context of 4132 2720 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 94 PID 3320 set thread context of 3036 3320 igfxwk32.exe 98 PID 4896 set thread context of 4336 4896 igfxwk32.exe 100 PID 2696 set thread context of 1636 2696 igfxwk32.exe 105 PID 2456 set thread context of 764 2456 igfxwk32.exe 107 PID 2132 set thread context of 768 2132 igfxwk32.exe 109 PID 2532 set thread context of 4956 2532 igfxwk32.exe 111 PID 664 set thread context of 2448 664 igfxwk32.exe 113 PID 4200 set thread context of 4688 4200 igfxwk32.exe 115 PID 4432 set thread context of 2112 4432 igfxwk32.exe 117 PID 348 set thread context of 1212 348 igfxwk32.exe 119 PID 3176 set thread context of 2516 3176 igfxwk32.exe 121 PID 4296 set thread context of 4456 4296 igfxwk32.exe 123 PID 4092 set thread context of 4796 4092 igfxwk32.exe 125 PID 2456 set thread context of 2040 2456 igfxwk32.exe 127 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4132 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 4132 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 4132 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 4132 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 3036 igfxwk32.exe 3036 igfxwk32.exe 3036 igfxwk32.exe 3036 igfxwk32.exe 4336 igfxwk32.exe 4336 igfxwk32.exe 4336 igfxwk32.exe 4336 igfxwk32.exe 1636 igfxwk32.exe 1636 igfxwk32.exe 1636 igfxwk32.exe 1636 igfxwk32.exe 764 igfxwk32.exe 764 igfxwk32.exe 764 igfxwk32.exe 764 igfxwk32.exe 768 igfxwk32.exe 768 igfxwk32.exe 768 igfxwk32.exe 768 igfxwk32.exe 4956 igfxwk32.exe 4956 igfxwk32.exe 4956 igfxwk32.exe 4956 igfxwk32.exe 2448 igfxwk32.exe 2448 igfxwk32.exe 2448 igfxwk32.exe 2448 igfxwk32.exe 4688 igfxwk32.exe 4688 igfxwk32.exe 4688 igfxwk32.exe 4688 igfxwk32.exe 2112 igfxwk32.exe 2112 igfxwk32.exe 2112 igfxwk32.exe 2112 igfxwk32.exe 1212 igfxwk32.exe 1212 igfxwk32.exe 1212 igfxwk32.exe 1212 igfxwk32.exe 2516 igfxwk32.exe 2516 igfxwk32.exe 2516 igfxwk32.exe 2516 igfxwk32.exe 4456 igfxwk32.exe 4456 igfxwk32.exe 4456 igfxwk32.exe 4456 igfxwk32.exe 4796 igfxwk32.exe 4796 igfxwk32.exe 4796 igfxwk32.exe 4796 igfxwk32.exe 2040 igfxwk32.exe 2040 igfxwk32.exe 2040 igfxwk32.exe 2040 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 4132 2720 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 94 PID 2720 wrote to memory of 4132 2720 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 94 PID 2720 wrote to memory of 4132 2720 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 94 PID 2720 wrote to memory of 4132 2720 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 94 PID 2720 wrote to memory of 4132 2720 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 94 PID 2720 wrote to memory of 4132 2720 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 94 PID 2720 wrote to memory of 4132 2720 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 94 PID 4132 wrote to memory of 3320 4132 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 97 PID 4132 wrote to memory of 3320 4132 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 97 PID 4132 wrote to memory of 3320 4132 e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe 97 PID 3320 wrote to memory of 3036 3320 igfxwk32.exe 98 PID 3320 wrote to memory of 3036 3320 igfxwk32.exe 98 PID 3320 wrote to memory of 3036 3320 igfxwk32.exe 98 PID 3320 wrote to memory of 3036 3320 igfxwk32.exe 98 PID 3320 wrote to memory of 3036 3320 igfxwk32.exe 98 PID 3320 wrote to memory of 3036 3320 igfxwk32.exe 98 PID 3320 wrote to memory of 3036 3320 igfxwk32.exe 98 PID 3036 wrote to memory of 4896 3036 igfxwk32.exe 99 PID 3036 wrote to memory of 4896 3036 igfxwk32.exe 99 PID 3036 wrote to memory of 4896 3036 igfxwk32.exe 99 PID 4896 wrote to memory of 4336 4896 igfxwk32.exe 100 PID 4896 wrote to memory of 4336 4896 igfxwk32.exe 100 PID 4896 wrote to memory of 4336 4896 igfxwk32.exe 100 PID 4896 wrote to memory of 4336 4896 igfxwk32.exe 100 PID 4896 wrote to memory of 4336 4896 igfxwk32.exe 100 PID 4896 wrote to memory of 4336 4896 igfxwk32.exe 100 PID 4896 wrote to memory of 4336 4896 igfxwk32.exe 100 PID 4336 wrote to memory of 2696 4336 igfxwk32.exe 102 PID 4336 wrote to memory of 2696 4336 igfxwk32.exe 102 PID 4336 wrote to memory of 2696 4336 igfxwk32.exe 102 PID 2696 wrote to memory of 1636 2696 igfxwk32.exe 105 PID 2696 wrote to memory of 1636 2696 igfxwk32.exe 105 PID 2696 wrote to memory of 1636 2696 igfxwk32.exe 105 PID 2696 wrote to memory of 1636 2696 igfxwk32.exe 105 PID 2696 wrote to memory of 1636 2696 igfxwk32.exe 105 PID 2696 wrote to memory of 1636 2696 igfxwk32.exe 105 PID 2696 wrote to memory of 1636 2696 igfxwk32.exe 105 PID 1636 wrote to memory of 2456 1636 igfxwk32.exe 106 PID 1636 wrote to memory of 2456 1636 igfxwk32.exe 106 PID 1636 wrote to memory of 2456 1636 igfxwk32.exe 106 PID 2456 wrote to memory of 764 2456 igfxwk32.exe 107 PID 2456 wrote to memory of 764 2456 igfxwk32.exe 107 PID 2456 wrote to memory of 764 2456 igfxwk32.exe 107 PID 2456 wrote to memory of 764 2456 igfxwk32.exe 107 PID 2456 wrote to memory of 764 2456 igfxwk32.exe 107 PID 2456 wrote to memory of 764 2456 igfxwk32.exe 107 PID 2456 wrote to memory of 764 2456 igfxwk32.exe 107 PID 764 wrote to memory of 2132 764 igfxwk32.exe 108 PID 764 wrote to memory of 2132 764 igfxwk32.exe 108 PID 764 wrote to memory of 2132 764 igfxwk32.exe 108 PID 2132 wrote to memory of 768 2132 igfxwk32.exe 109 PID 2132 wrote to memory of 768 2132 igfxwk32.exe 109 PID 2132 wrote to memory of 768 2132 igfxwk32.exe 109 PID 2132 wrote to memory of 768 2132 igfxwk32.exe 109 PID 2132 wrote to memory of 768 2132 igfxwk32.exe 109 PID 2132 wrote to memory of 768 2132 igfxwk32.exe 109 PID 2132 wrote to memory of 768 2132 igfxwk32.exe 109 PID 768 wrote to memory of 2532 768 igfxwk32.exe 110 PID 768 wrote to memory of 2532 768 igfxwk32.exe 110 PID 768 wrote to memory of 2532 768 igfxwk32.exe 110 PID 2532 wrote to memory of 4956 2532 igfxwk32.exe 111 PID 2532 wrote to memory of 4956 2532 igfxwk32.exe 111 PID 2532 wrote to memory of 4956 2532 igfxwk32.exe 111 PID 2532 wrote to memory of 4956 2532 igfxwk32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e10fe5997265abe21819bf7954f90a8a_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\E10FE5~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\E10FE5~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4956 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2448 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4688 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2112 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1212 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3176 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2516 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4456 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4796 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
PID:3656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5e10fe5997265abe21819bf7954f90a8a
SHA1480ba8706f6f17be203f54e161a15491c061f16b
SHA2562e4439337d6e110c549cb61c6d8eab9c9c591f94f19a96c84397b4574f0a3ca3
SHA51233c6da8432ee4db94673475916d1f16067647589a91eee6e2426d905d334d7a64a379698589bb7da760f6928fd3c8ccd4dd3ae6258e514132cdf490cf82b719a