Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 05:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe
-
Size
171KB
-
MD5
e423dd0f0183644c8d9839f0cdd6ed51
-
SHA1
2d31683a62d02f0ee051228d2ddbf11d3a695813
-
SHA256
5aa72f698a2226a6faccd818f6499b5962458b9aec96fc86e8c45eca2635d3ac
-
SHA512
963654a7345ca907083b27701c549ec93a740bf1fecc2ba798b0768297c81a77ca0a6f89a1c97aec2596522dd4c799c0b6b3b9670360a3781611b7e353993d11
-
SSDEEP
3072:a3C/x9UL+MRjcCMY8RdPBVyvnKfO1kwpYgn8jhl2nVA4h7Bfeaf6GO:aS9QVt8LP+e5wdnuh2jj/6GO
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation igfxpk32.exe -
Deletes itself 1 IoCs
pid Process 2592 igfxpk32.exe -
Executes dropped EXE 32 IoCs
pid Process 1988 igfxpk32.exe 2592 igfxpk32.exe 4836 igfxpk32.exe 912 igfxpk32.exe 2704 igfxpk32.exe 3496 igfxpk32.exe 1932 igfxpk32.exe 872 igfxpk32.exe 2500 igfxpk32.exe 4720 igfxpk32.exe 1216 igfxpk32.exe 4392 igfxpk32.exe 3260 igfxpk32.exe 432 igfxpk32.exe 4312 igfxpk32.exe 1356 igfxpk32.exe 2584 igfxpk32.exe 5084 igfxpk32.exe 3948 igfxpk32.exe 3636 igfxpk32.exe 696 igfxpk32.exe 2052 igfxpk32.exe 1376 igfxpk32.exe 4680 igfxpk32.exe 3280 igfxpk32.exe 1876 igfxpk32.exe 5028 igfxpk32.exe 724 igfxpk32.exe 1828 igfxpk32.exe 4568 igfxpk32.exe 4340 igfxpk32.exe 4380 igfxpk32.exe -
resource yara_rule behavioral2/memory/4564-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4564-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4564-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4564-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4564-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2592-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2592-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/912-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3496-61-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/872-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4720-76-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4392-81-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/432-89-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1356-96-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5084-103-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3636-109-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2052-115-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2052-118-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4680-126-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1876-135-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/724-143-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4568-151-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxpk32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\igfxpk32.exe igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe File opened for modification C:\Windows\SysWOW64\ igfxpk32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2016 set thread context of 4564 2016 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 87 PID 1988 set thread context of 2592 1988 igfxpk32.exe 91 PID 4836 set thread context of 912 4836 igfxpk32.exe 93 PID 2704 set thread context of 3496 2704 igfxpk32.exe 97 PID 1932 set thread context of 872 1932 igfxpk32.exe 99 PID 2500 set thread context of 4720 2500 igfxpk32.exe 101 PID 1216 set thread context of 4392 1216 igfxpk32.exe 103 PID 3260 set thread context of 432 3260 igfxpk32.exe 105 PID 4312 set thread context of 1356 4312 igfxpk32.exe 107 PID 2584 set thread context of 5084 2584 igfxpk32.exe 109 PID 3948 set thread context of 3636 3948 igfxpk32.exe 111 PID 696 set thread context of 2052 696 igfxpk32.exe 113 PID 1376 set thread context of 4680 1376 igfxpk32.exe 115 PID 3280 set thread context of 1876 3280 igfxpk32.exe 117 PID 5028 set thread context of 724 5028 igfxpk32.exe 119 PID 1828 set thread context of 4568 1828 igfxpk32.exe 121 PID 4340 set thread context of 4380 4340 igfxpk32.exe 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxpk32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxpk32.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 4564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 4564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 4564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 4564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 2592 igfxpk32.exe 2592 igfxpk32.exe 2592 igfxpk32.exe 2592 igfxpk32.exe 912 igfxpk32.exe 912 igfxpk32.exe 912 igfxpk32.exe 912 igfxpk32.exe 3496 igfxpk32.exe 3496 igfxpk32.exe 3496 igfxpk32.exe 3496 igfxpk32.exe 872 igfxpk32.exe 872 igfxpk32.exe 872 igfxpk32.exe 872 igfxpk32.exe 4720 igfxpk32.exe 4720 igfxpk32.exe 4720 igfxpk32.exe 4720 igfxpk32.exe 432 igfxpk32.exe 432 igfxpk32.exe 432 igfxpk32.exe 432 igfxpk32.exe 1356 igfxpk32.exe 1356 igfxpk32.exe 1356 igfxpk32.exe 1356 igfxpk32.exe 5084 igfxpk32.exe 5084 igfxpk32.exe 5084 igfxpk32.exe 5084 igfxpk32.exe 3636 igfxpk32.exe 3636 igfxpk32.exe 3636 igfxpk32.exe 3636 igfxpk32.exe 2052 igfxpk32.exe 2052 igfxpk32.exe 2052 igfxpk32.exe 2052 igfxpk32.exe 4680 igfxpk32.exe 4680 igfxpk32.exe 4680 igfxpk32.exe 4680 igfxpk32.exe 1876 igfxpk32.exe 1876 igfxpk32.exe 1876 igfxpk32.exe 1876 igfxpk32.exe 724 igfxpk32.exe 724 igfxpk32.exe 724 igfxpk32.exe 724 igfxpk32.exe 4568 igfxpk32.exe 4568 igfxpk32.exe 4568 igfxpk32.exe 4568 igfxpk32.exe 4380 igfxpk32.exe 4380 igfxpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 4564 2016 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 87 PID 2016 wrote to memory of 4564 2016 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 87 PID 2016 wrote to memory of 4564 2016 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 87 PID 2016 wrote to memory of 4564 2016 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 87 PID 2016 wrote to memory of 4564 2016 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 87 PID 2016 wrote to memory of 4564 2016 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 87 PID 2016 wrote to memory of 4564 2016 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 87 PID 4564 wrote to memory of 1988 4564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 88 PID 4564 wrote to memory of 1988 4564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 88 PID 4564 wrote to memory of 1988 4564 e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe 88 PID 1988 wrote to memory of 2592 1988 igfxpk32.exe 91 PID 1988 wrote to memory of 2592 1988 igfxpk32.exe 91 PID 1988 wrote to memory of 2592 1988 igfxpk32.exe 91 PID 1988 wrote to memory of 2592 1988 igfxpk32.exe 91 PID 1988 wrote to memory of 2592 1988 igfxpk32.exe 91 PID 1988 wrote to memory of 2592 1988 igfxpk32.exe 91 PID 1988 wrote to memory of 2592 1988 igfxpk32.exe 91 PID 2592 wrote to memory of 4836 2592 igfxpk32.exe 92 PID 2592 wrote to memory of 4836 2592 igfxpk32.exe 92 PID 2592 wrote to memory of 4836 2592 igfxpk32.exe 92 PID 4836 wrote to memory of 912 4836 igfxpk32.exe 93 PID 4836 wrote to memory of 912 4836 igfxpk32.exe 93 PID 4836 wrote to memory of 912 4836 igfxpk32.exe 93 PID 4836 wrote to memory of 912 4836 igfxpk32.exe 93 PID 4836 wrote to memory of 912 4836 igfxpk32.exe 93 PID 4836 wrote to memory of 912 4836 igfxpk32.exe 93 PID 4836 wrote to memory of 912 4836 igfxpk32.exe 93 PID 912 wrote to memory of 2704 912 igfxpk32.exe 94 PID 912 wrote to memory of 2704 912 igfxpk32.exe 94 PID 912 wrote to memory of 2704 912 igfxpk32.exe 94 PID 2704 wrote to memory of 3496 2704 igfxpk32.exe 97 PID 2704 wrote to memory of 3496 2704 igfxpk32.exe 97 PID 2704 wrote to memory of 3496 2704 igfxpk32.exe 97 PID 2704 wrote to memory of 3496 2704 igfxpk32.exe 97 PID 2704 wrote to memory of 3496 2704 igfxpk32.exe 97 PID 2704 wrote to memory of 3496 2704 igfxpk32.exe 97 PID 2704 wrote to memory of 3496 2704 igfxpk32.exe 97 PID 3496 wrote to memory of 1932 3496 igfxpk32.exe 98 PID 3496 wrote to memory of 1932 3496 igfxpk32.exe 98 PID 3496 wrote to memory of 1932 3496 igfxpk32.exe 98 PID 1932 wrote to memory of 872 1932 igfxpk32.exe 99 PID 1932 wrote to memory of 872 1932 igfxpk32.exe 99 PID 1932 wrote to memory of 872 1932 igfxpk32.exe 99 PID 1932 wrote to memory of 872 1932 igfxpk32.exe 99 PID 1932 wrote to memory of 872 1932 igfxpk32.exe 99 PID 1932 wrote to memory of 872 1932 igfxpk32.exe 99 PID 1932 wrote to memory of 872 1932 igfxpk32.exe 99 PID 872 wrote to memory of 2500 872 igfxpk32.exe 100 PID 872 wrote to memory of 2500 872 igfxpk32.exe 100 PID 872 wrote to memory of 2500 872 igfxpk32.exe 100 PID 2500 wrote to memory of 4720 2500 igfxpk32.exe 101 PID 2500 wrote to memory of 4720 2500 igfxpk32.exe 101 PID 2500 wrote to memory of 4720 2500 igfxpk32.exe 101 PID 2500 wrote to memory of 4720 2500 igfxpk32.exe 101 PID 2500 wrote to memory of 4720 2500 igfxpk32.exe 101 PID 2500 wrote to memory of 4720 2500 igfxpk32.exe 101 PID 2500 wrote to memory of 4720 2500 igfxpk32.exe 101 PID 4720 wrote to memory of 1216 4720 igfxpk32.exe 102 PID 4720 wrote to memory of 1216 4720 igfxpk32.exe 102 PID 4720 wrote to memory of 1216 4720 igfxpk32.exe 102 PID 1216 wrote to memory of 4392 1216 igfxpk32.exe 103 PID 1216 wrote to memory of 4392 1216 igfxpk32.exe 103 PID 1216 wrote to memory of 4392 1216 igfxpk32.exe 103 PID 1216 wrote to memory of 4392 1216 igfxpk32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\E423DD~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\E423DD~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:432 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1356 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5084 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3636 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4680 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1876 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:724 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4568 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5e423dd0f0183644c8d9839f0cdd6ed51
SHA12d31683a62d02f0ee051228d2ddbf11d3a695813
SHA2565aa72f698a2226a6faccd818f6499b5962458b9aec96fc86e8c45eca2635d3ac
SHA512963654a7345ca907083b27701c549ec93a740bf1fecc2ba798b0768297c81a77ca0a6f89a1c97aec2596522dd4c799c0b6b3b9670360a3781611b7e353993d11