Analysis
-
max time kernel
145s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 05:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe
-
Size
171KB
-
MD5
e423dd0f0183644c8d9839f0cdd6ed51
-
SHA1
2d31683a62d02f0ee051228d2ddbf11d3a695813
-
SHA256
5aa72f698a2226a6faccd818f6499b5962458b9aec96fc86e8c45eca2635d3ac
-
SHA512
963654a7345ca907083b27701c549ec93a740bf1fecc2ba798b0768297c81a77ca0a6f89a1c97aec2596522dd4c799c0b6b3b9670360a3781611b7e353993d11
-
SSDEEP
3072:a3C/x9UL+MRjcCMY8RdPBVyvnKfO1kwpYgn8jhl2nVA4h7Bfeaf6GO:aS9QVt8LP+e5wdnuh2jj/6GO
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 584 igfxpk32.exe -
Executes dropped EXE 33 IoCs
pid Process 2856 igfxpk32.exe 584 igfxpk32.exe 2136 igfxpk32.exe 1232 igfxpk32.exe 1136 igfxpk32.exe 1520 igfxpk32.exe 1404 igfxpk32.exe 2972 igfxpk32.exe 1680 igfxpk32.exe 1724 igfxpk32.exe 3048 igfxpk32.exe 1320 igfxpk32.exe 900 igfxpk32.exe 1700 igfxpk32.exe 1652 igfxpk32.exe 2524 igfxpk32.exe 992 igfxpk32.exe 2192 igfxpk32.exe 2532 igfxpk32.exe 2852 igfxpk32.exe 2744 igfxpk32.exe 2640 igfxpk32.exe 1500 igfxpk32.exe 2224 igfxpk32.exe 2088 igfxpk32.exe 2804 igfxpk32.exe 2792 igfxpk32.exe 480 igfxpk32.exe 2496 igfxpk32.exe 1568 igfxpk32.exe 2556 igfxpk32.exe 924 igfxpk32.exe 2060 igfxpk32.exe -
Loads dropped DLL 33 IoCs
pid Process 1564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 2856 igfxpk32.exe 584 igfxpk32.exe 2136 igfxpk32.exe 1232 igfxpk32.exe 1136 igfxpk32.exe 1520 igfxpk32.exe 1404 igfxpk32.exe 2972 igfxpk32.exe 1680 igfxpk32.exe 1724 igfxpk32.exe 3048 igfxpk32.exe 1320 igfxpk32.exe 900 igfxpk32.exe 1700 igfxpk32.exe 1652 igfxpk32.exe 2524 igfxpk32.exe 992 igfxpk32.exe 2192 igfxpk32.exe 2532 igfxpk32.exe 2852 igfxpk32.exe 2744 igfxpk32.exe 2640 igfxpk32.exe 1500 igfxpk32.exe 2224 igfxpk32.exe 2088 igfxpk32.exe 2804 igfxpk32.exe 2792 igfxpk32.exe 480 igfxpk32.exe 2496 igfxpk32.exe 1568 igfxpk32.exe 2556 igfxpk32.exe 924 igfxpk32.exe -
resource yara_rule behavioral1/memory/1564-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1564-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1564-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1564-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1564-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1564-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1564-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/584-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/584-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/584-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/584-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1232-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1520-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1520-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1520-66-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1520-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2972-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2972-86-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1724-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1724-97-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1724-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1724-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1320-116-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1320-122-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-133-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-139-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2524-150-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2524-155-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2192-166-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2192-174-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2852-184-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2852-191-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2640-207-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2224-218-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2224-225-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2804-242-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/480-250-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/480-255-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1568-263-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1568-268-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/924-280-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxpk32.exe e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 1840 set thread context of 1564 1840 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 31 PID 2856 set thread context of 584 2856 igfxpk32.exe 33 PID 2136 set thread context of 1232 2136 igfxpk32.exe 35 PID 1136 set thread context of 1520 1136 igfxpk32.exe 37 PID 1404 set thread context of 2972 1404 igfxpk32.exe 39 PID 1680 set thread context of 1724 1680 igfxpk32.exe 41 PID 3048 set thread context of 1320 3048 igfxpk32.exe 43 PID 900 set thread context of 1700 900 igfxpk32.exe 45 PID 1652 set thread context of 2524 1652 igfxpk32.exe 48 PID 992 set thread context of 2192 992 igfxpk32.exe 50 PID 2532 set thread context of 2852 2532 igfxpk32.exe 52 PID 2744 set thread context of 2640 2744 igfxpk32.exe 54 PID 1500 set thread context of 2224 1500 igfxpk32.exe 56 PID 2088 set thread context of 2804 2088 igfxpk32.exe 58 PID 2792 set thread context of 480 2792 igfxpk32.exe 60 PID 2496 set thread context of 1568 2496 igfxpk32.exe 62 PID 2556 set thread context of 924 2556 igfxpk32.exe 64 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 1564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 584 igfxpk32.exe 584 igfxpk32.exe 1232 igfxpk32.exe 1232 igfxpk32.exe 1520 igfxpk32.exe 1520 igfxpk32.exe 2972 igfxpk32.exe 2972 igfxpk32.exe 1724 igfxpk32.exe 1724 igfxpk32.exe 1320 igfxpk32.exe 1320 igfxpk32.exe 1700 igfxpk32.exe 1700 igfxpk32.exe 2524 igfxpk32.exe 2524 igfxpk32.exe 2192 igfxpk32.exe 2192 igfxpk32.exe 2852 igfxpk32.exe 2852 igfxpk32.exe 2640 igfxpk32.exe 2640 igfxpk32.exe 2224 igfxpk32.exe 2224 igfxpk32.exe 2804 igfxpk32.exe 2804 igfxpk32.exe 480 igfxpk32.exe 480 igfxpk32.exe 1568 igfxpk32.exe 1568 igfxpk32.exe 924 igfxpk32.exe 924 igfxpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 1564 1840 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 31 PID 1840 wrote to memory of 1564 1840 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 31 PID 1840 wrote to memory of 1564 1840 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 31 PID 1840 wrote to memory of 1564 1840 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 31 PID 1840 wrote to memory of 1564 1840 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 31 PID 1840 wrote to memory of 1564 1840 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 31 PID 1840 wrote to memory of 1564 1840 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 31 PID 1564 wrote to memory of 2856 1564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 32 PID 1564 wrote to memory of 2856 1564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 32 PID 1564 wrote to memory of 2856 1564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 32 PID 1564 wrote to memory of 2856 1564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 32 PID 2856 wrote to memory of 584 2856 igfxpk32.exe 33 PID 2856 wrote to memory of 584 2856 igfxpk32.exe 33 PID 2856 wrote to memory of 584 2856 igfxpk32.exe 33 PID 2856 wrote to memory of 584 2856 igfxpk32.exe 33 PID 2856 wrote to memory of 584 2856 igfxpk32.exe 33 PID 2856 wrote to memory of 584 2856 igfxpk32.exe 33 PID 2856 wrote to memory of 584 2856 igfxpk32.exe 33 PID 584 wrote to memory of 2136 584 igfxpk32.exe 34 PID 584 wrote to memory of 2136 584 igfxpk32.exe 34 PID 584 wrote to memory of 2136 584 igfxpk32.exe 34 PID 584 wrote to memory of 2136 584 igfxpk32.exe 34 PID 2136 wrote to memory of 1232 2136 igfxpk32.exe 35 PID 2136 wrote to memory of 1232 2136 igfxpk32.exe 35 PID 2136 wrote to memory of 1232 2136 igfxpk32.exe 35 PID 2136 wrote to memory of 1232 2136 igfxpk32.exe 35 PID 2136 wrote to memory of 1232 2136 igfxpk32.exe 35 PID 2136 wrote to memory of 1232 2136 igfxpk32.exe 35 PID 2136 wrote to memory of 1232 2136 igfxpk32.exe 35 PID 1232 wrote to memory of 1136 1232 igfxpk32.exe 36 PID 1232 wrote to memory of 1136 1232 igfxpk32.exe 36 PID 1232 wrote to memory of 1136 1232 igfxpk32.exe 36 PID 1232 wrote to memory of 1136 1232 igfxpk32.exe 36 PID 1136 wrote to memory of 1520 1136 igfxpk32.exe 37 PID 1136 wrote to memory of 1520 1136 igfxpk32.exe 37 PID 1136 wrote to memory of 1520 1136 igfxpk32.exe 37 PID 1136 wrote to memory of 1520 1136 igfxpk32.exe 37 PID 1136 wrote to memory of 1520 1136 igfxpk32.exe 37 PID 1136 wrote to memory of 1520 1136 igfxpk32.exe 37 PID 1136 wrote to memory of 1520 1136 igfxpk32.exe 37 PID 1520 wrote to memory of 1404 1520 igfxpk32.exe 38 PID 1520 wrote to memory of 1404 1520 igfxpk32.exe 38 PID 1520 wrote to memory of 1404 1520 igfxpk32.exe 38 PID 1520 wrote to memory of 1404 1520 igfxpk32.exe 38 PID 1404 wrote to memory of 2972 1404 igfxpk32.exe 39 PID 1404 wrote to memory of 2972 1404 igfxpk32.exe 39 PID 1404 wrote to memory of 2972 1404 igfxpk32.exe 39 PID 1404 wrote to memory of 2972 1404 igfxpk32.exe 39 PID 1404 wrote to memory of 2972 1404 igfxpk32.exe 39 PID 1404 wrote to memory of 2972 1404 igfxpk32.exe 39 PID 1404 wrote to memory of 2972 1404 igfxpk32.exe 39 PID 2972 wrote to memory of 1680 2972 igfxpk32.exe 40 PID 2972 wrote to memory of 1680 2972 igfxpk32.exe 40 PID 2972 wrote to memory of 1680 2972 igfxpk32.exe 40 PID 2972 wrote to memory of 1680 2972 igfxpk32.exe 40 PID 1680 wrote to memory of 1724 1680 igfxpk32.exe 41 PID 1680 wrote to memory of 1724 1680 igfxpk32.exe 41 PID 1680 wrote to memory of 1724 1680 igfxpk32.exe 41 PID 1680 wrote to memory of 1724 1680 igfxpk32.exe 41 PID 1680 wrote to memory of 1724 1680 igfxpk32.exe 41 PID 1680 wrote to memory of 1724 1680 igfxpk32.exe 41 PID 1680 wrote to memory of 1724 1680 igfxpk32.exe 41 PID 1724 wrote to memory of 3048 1724 igfxpk32.exe 42 PID 1724 wrote to memory of 3048 1724 igfxpk32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\E423DD~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\E423DD~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1320 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1700 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2524 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2192 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2640 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:480 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1568 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:924 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe35⤵
- Executes dropped EXE
PID:2060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5e423dd0f0183644c8d9839f0cdd6ed51
SHA12d31683a62d02f0ee051228d2ddbf11d3a695813
SHA2565aa72f698a2226a6faccd818f6499b5962458b9aec96fc86e8c45eca2635d3ac
SHA512963654a7345ca907083b27701c549ec93a740bf1fecc2ba798b0768297c81a77ca0a6f89a1c97aec2596522dd4c799c0b6b3b9670360a3781611b7e353993d11