Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 09:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe
-
Size
173KB
-
MD5
e23157efe041a73c68ceaf2b5074db65
-
SHA1
f5f8ee6414e5fd16bdf602dbf6963403986e2273
-
SHA256
9300d6b3aa972e79da286df5b1cb3345529cf2d1cbf09c2e7f7e38e096e48ac5
-
SHA512
80f96914831985adb1c5db6227c98d7f6b9aa12a884b0930ca1a0e0551f901b1e89e9af4b4eb7e2cff468e0e246964d1edf389d366cc95f24ca2e4c1d9a3f423
-
SSDEEP
3072:UnnA9CEAi+ylfLDtS/SkBgLAhrjLD12WpciDMa2t5tpmhpAUAC5XQ7M:UcCPI8ZeEJ128972/tpC/ASQ7M
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxhs32.exe -
Deletes itself 1 IoCs
pid Process 940 igfxhs32.exe -
Executes dropped EXE 32 IoCs
pid Process 4088 igfxhs32.exe 940 igfxhs32.exe 4528 igfxhs32.exe 1792 igfxhs32.exe 716 igfxhs32.exe 3564 igfxhs32.exe 3476 igfxhs32.exe 4016 igfxhs32.exe 4232 igfxhs32.exe 3132 igfxhs32.exe 3632 igfxhs32.exe 4600 igfxhs32.exe 3568 igfxhs32.exe 3984 igfxhs32.exe 2360 igfxhs32.exe 5092 igfxhs32.exe 2656 igfxhs32.exe 2936 igfxhs32.exe 4084 igfxhs32.exe 5080 igfxhs32.exe 4804 igfxhs32.exe 1236 igfxhs32.exe 976 igfxhs32.exe 3076 igfxhs32.exe 3676 igfxhs32.exe 3064 igfxhs32.exe 208 igfxhs32.exe 2608 igfxhs32.exe 4076 igfxhs32.exe 2772 igfxhs32.exe 3116 igfxhs32.exe 3440 igfxhs32.exe -
resource yara_rule behavioral2/memory/4700-0-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4700-2-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4700-3-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4700-4-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4700-39-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/940-44-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/940-45-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/940-43-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/940-47-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1792-54-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/3564-62-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4016-69-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/3132-76-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/4600-83-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/3984-90-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/5092-97-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/2936-104-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/5080-112-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/1236-119-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/3076-128-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/3064-136-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/2608-144-0x0000000032570000-0x00000000325D6000-memory.dmp upx behavioral2/memory/2772-152-0x0000000032570000-0x00000000325D6000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhs32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxhs32.exe e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\ igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File created C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe File opened for modification C:\Windows\SysWOW64\igfxhs32.exe igfxhs32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2832 set thread context of 4700 2832 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 91 PID 4088 set thread context of 940 4088 igfxhs32.exe 96 PID 4528 set thread context of 1792 4528 igfxhs32.exe 98 PID 716 set thread context of 3564 716 igfxhs32.exe 102 PID 3476 set thread context of 4016 3476 igfxhs32.exe 104 PID 4232 set thread context of 3132 4232 igfxhs32.exe 106 PID 3632 set thread context of 4600 3632 igfxhs32.exe 108 PID 3568 set thread context of 3984 3568 igfxhs32.exe 110 PID 2360 set thread context of 5092 2360 igfxhs32.exe 112 PID 2656 set thread context of 2936 2656 igfxhs32.exe 114 PID 4084 set thread context of 5080 4084 igfxhs32.exe 116 PID 4804 set thread context of 1236 4804 igfxhs32.exe 118 PID 976 set thread context of 3076 976 igfxhs32.exe 120 PID 3676 set thread context of 3064 3676 igfxhs32.exe 122 PID 208 set thread context of 2608 208 igfxhs32.exe 124 PID 4076 set thread context of 2772 4076 igfxhs32.exe 126 PID 3116 set thread context of 3440 3116 igfxhs32.exe 128 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxhs32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxhs32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4700 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 4700 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 4700 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 4700 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 940 igfxhs32.exe 940 igfxhs32.exe 940 igfxhs32.exe 940 igfxhs32.exe 1792 igfxhs32.exe 1792 igfxhs32.exe 1792 igfxhs32.exe 1792 igfxhs32.exe 3564 igfxhs32.exe 3564 igfxhs32.exe 3564 igfxhs32.exe 3564 igfxhs32.exe 4016 igfxhs32.exe 4016 igfxhs32.exe 4016 igfxhs32.exe 4016 igfxhs32.exe 3132 igfxhs32.exe 3132 igfxhs32.exe 3132 igfxhs32.exe 3132 igfxhs32.exe 4600 igfxhs32.exe 4600 igfxhs32.exe 4600 igfxhs32.exe 4600 igfxhs32.exe 3984 igfxhs32.exe 3984 igfxhs32.exe 3984 igfxhs32.exe 3984 igfxhs32.exe 5092 igfxhs32.exe 5092 igfxhs32.exe 5092 igfxhs32.exe 5092 igfxhs32.exe 2936 igfxhs32.exe 2936 igfxhs32.exe 2936 igfxhs32.exe 2936 igfxhs32.exe 5080 igfxhs32.exe 5080 igfxhs32.exe 5080 igfxhs32.exe 5080 igfxhs32.exe 1236 igfxhs32.exe 1236 igfxhs32.exe 1236 igfxhs32.exe 1236 igfxhs32.exe 3076 igfxhs32.exe 3076 igfxhs32.exe 3076 igfxhs32.exe 3076 igfxhs32.exe 3064 igfxhs32.exe 3064 igfxhs32.exe 3064 igfxhs32.exe 3064 igfxhs32.exe 2608 igfxhs32.exe 2608 igfxhs32.exe 2608 igfxhs32.exe 2608 igfxhs32.exe 2772 igfxhs32.exe 2772 igfxhs32.exe 2772 igfxhs32.exe 2772 igfxhs32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2832 wrote to memory of 4700 2832 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 91 PID 2832 wrote to memory of 4700 2832 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 91 PID 2832 wrote to memory of 4700 2832 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 91 PID 2832 wrote to memory of 4700 2832 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 91 PID 2832 wrote to memory of 4700 2832 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 91 PID 2832 wrote to memory of 4700 2832 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 91 PID 2832 wrote to memory of 4700 2832 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 91 PID 4700 wrote to memory of 4088 4700 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 93 PID 4700 wrote to memory of 4088 4700 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 93 PID 4700 wrote to memory of 4088 4700 e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe 93 PID 4088 wrote to memory of 940 4088 igfxhs32.exe 96 PID 4088 wrote to memory of 940 4088 igfxhs32.exe 96 PID 4088 wrote to memory of 940 4088 igfxhs32.exe 96 PID 4088 wrote to memory of 940 4088 igfxhs32.exe 96 PID 4088 wrote to memory of 940 4088 igfxhs32.exe 96 PID 4088 wrote to memory of 940 4088 igfxhs32.exe 96 PID 4088 wrote to memory of 940 4088 igfxhs32.exe 96 PID 940 wrote to memory of 4528 940 igfxhs32.exe 97 PID 940 wrote to memory of 4528 940 igfxhs32.exe 97 PID 940 wrote to memory of 4528 940 igfxhs32.exe 97 PID 4528 wrote to memory of 1792 4528 igfxhs32.exe 98 PID 4528 wrote to memory of 1792 4528 igfxhs32.exe 98 PID 4528 wrote to memory of 1792 4528 igfxhs32.exe 98 PID 4528 wrote to memory of 1792 4528 igfxhs32.exe 98 PID 4528 wrote to memory of 1792 4528 igfxhs32.exe 98 PID 4528 wrote to memory of 1792 4528 igfxhs32.exe 98 PID 4528 wrote to memory of 1792 4528 igfxhs32.exe 98 PID 1792 wrote to memory of 716 1792 igfxhs32.exe 99 PID 1792 wrote to memory of 716 1792 igfxhs32.exe 99 PID 1792 wrote to memory of 716 1792 igfxhs32.exe 99 PID 716 wrote to memory of 3564 716 igfxhs32.exe 102 PID 716 wrote to memory of 3564 716 igfxhs32.exe 102 PID 716 wrote to memory of 3564 716 igfxhs32.exe 102 PID 716 wrote to memory of 3564 716 igfxhs32.exe 102 PID 716 wrote to memory of 3564 716 igfxhs32.exe 102 PID 716 wrote to memory of 3564 716 igfxhs32.exe 102 PID 716 wrote to memory of 3564 716 igfxhs32.exe 102 PID 3564 wrote to memory of 3476 3564 igfxhs32.exe 103 PID 3564 wrote to memory of 3476 3564 igfxhs32.exe 103 PID 3564 wrote to memory of 3476 3564 igfxhs32.exe 103 PID 3476 wrote to memory of 4016 3476 igfxhs32.exe 104 PID 3476 wrote to memory of 4016 3476 igfxhs32.exe 104 PID 3476 wrote to memory of 4016 3476 igfxhs32.exe 104 PID 3476 wrote to memory of 4016 3476 igfxhs32.exe 104 PID 3476 wrote to memory of 4016 3476 igfxhs32.exe 104 PID 3476 wrote to memory of 4016 3476 igfxhs32.exe 104 PID 3476 wrote to memory of 4016 3476 igfxhs32.exe 104 PID 4016 wrote to memory of 4232 4016 igfxhs32.exe 105 PID 4016 wrote to memory of 4232 4016 igfxhs32.exe 105 PID 4016 wrote to memory of 4232 4016 igfxhs32.exe 105 PID 4232 wrote to memory of 3132 4232 igfxhs32.exe 106 PID 4232 wrote to memory of 3132 4232 igfxhs32.exe 106 PID 4232 wrote to memory of 3132 4232 igfxhs32.exe 106 PID 4232 wrote to memory of 3132 4232 igfxhs32.exe 106 PID 4232 wrote to memory of 3132 4232 igfxhs32.exe 106 PID 4232 wrote to memory of 3132 4232 igfxhs32.exe 106 PID 4232 wrote to memory of 3132 4232 igfxhs32.exe 106 PID 3132 wrote to memory of 3632 3132 igfxhs32.exe 107 PID 3132 wrote to memory of 3632 3132 igfxhs32.exe 107 PID 3132 wrote to memory of 3632 3132 igfxhs32.exe 107 PID 3632 wrote to memory of 4600 3632 igfxhs32.exe 108 PID 3632 wrote to memory of 4600 3632 igfxhs32.exe 108 PID 3632 wrote to memory of 4600 3632 igfxhs32.exe 108 PID 3632 wrote to memory of 4600 3632 igfxhs32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e23157efe041a73c68ceaf2b5074db65_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Users\Admin\AppData\Local\Temp\E23157~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Users\Admin\AppData\Local\Temp\E23157~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4600 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3984 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5092 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5080 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1236 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3076 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3064 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2608 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2772 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\igfxhs32.exe"C:\Windows\SysWOW64\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:3440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD5e23157efe041a73c68ceaf2b5074db65
SHA1f5f8ee6414e5fd16bdf602dbf6963403986e2273
SHA2569300d6b3aa972e79da286df5b1cb3345529cf2d1cbf09c2e7f7e38e096e48ac5
SHA51280f96914831985adb1c5db6227c98d7f6b9aa12a884b0930ca1a0e0551f901b1e89e9af4b4eb7e2cff468e0e246964d1edf389d366cc95f24ca2e4c1d9a3f423