Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 08:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe
-
Size
170KB
-
MD5
e4658e0e2726e3df9e57d0803f81131a
-
SHA1
2010f7a6959a79f6f62fc3b9d60a2fbfaa319576
-
SHA256
32f27b469d6dff3ac95afd75128099dca7ff571e8ba6da207f6b66c5c72a20d5
-
SHA512
36f1940cbf82f4562126cc903c17e0d4335cfb5da31f1266654c4cb72d7b6391343c5675415af7ec0680879d542aeef001bfdf75dd41bc8cf3227678d85fce5f
-
SSDEEP
3072:D2xg58AduDN+pg9Qpw0NAYgU8a329Bxq6Gasm5+7g:XWAw0Vj8aOBTLsf7g
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2544 igfxwl32.exe -
Executes dropped EXE 33 IoCs
pid Process 2740 igfxwl32.exe 2544 igfxwl32.exe 564 igfxwl32.exe 2716 igfxwl32.exe 768 igfxwl32.exe 2004 igfxwl32.exe 2188 igfxwl32.exe 832 igfxwl32.exe 2912 igfxwl32.exe 292 igfxwl32.exe 900 igfxwl32.exe 404 igfxwl32.exe 2888 igfxwl32.exe 868 igfxwl32.exe 1676 igfxwl32.exe 2428 igfxwl32.exe 2488 igfxwl32.exe 2756 igfxwl32.exe 2672 igfxwl32.exe 2904 igfxwl32.exe 2596 igfxwl32.exe 1048 igfxwl32.exe 2796 igfxwl32.exe 624 igfxwl32.exe 768 igfxwl32.exe 2260 igfxwl32.exe 2500 igfxwl32.exe 480 igfxwl32.exe 2912 igfxwl32.exe 3060 igfxwl32.exe 2392 igfxwl32.exe 828 igfxwl32.exe 1624 igfxwl32.exe -
Loads dropped DLL 33 IoCs
pid Process 2776 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 2740 igfxwl32.exe 2544 igfxwl32.exe 564 igfxwl32.exe 2716 igfxwl32.exe 768 igfxwl32.exe 2004 igfxwl32.exe 2188 igfxwl32.exe 832 igfxwl32.exe 2912 igfxwl32.exe 292 igfxwl32.exe 900 igfxwl32.exe 404 igfxwl32.exe 2888 igfxwl32.exe 868 igfxwl32.exe 1676 igfxwl32.exe 2428 igfxwl32.exe 2488 igfxwl32.exe 2756 igfxwl32.exe 2672 igfxwl32.exe 2904 igfxwl32.exe 2596 igfxwl32.exe 1048 igfxwl32.exe 2796 igfxwl32.exe 624 igfxwl32.exe 768 igfxwl32.exe 2260 igfxwl32.exe 2500 igfxwl32.exe 480 igfxwl32.exe 2912 igfxwl32.exe 3060 igfxwl32.exe 2392 igfxwl32.exe 828 igfxwl32.exe -
resource yara_rule behavioral1/memory/2776-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2776-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2776-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2776-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2776-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2776-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2776-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2544-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2544-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2544-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2544-37-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-49-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2004-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2004-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/832-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/832-88-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/292-104-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/404-121-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/868-132-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/868-138-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2428-154-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2756-164-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2756-171-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2904-181-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2904-188-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1048-198-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1048-205-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/624-221-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2260-231-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2260-236-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/480-245-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/480-249-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3060-257-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3060-262-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/828-270-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/828-275-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2668 set thread context of 2776 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 31 PID 2740 set thread context of 2544 2740 igfxwl32.exe 33 PID 564 set thread context of 2716 564 igfxwl32.exe 35 PID 768 set thread context of 2004 768 igfxwl32.exe 37 PID 2188 set thread context of 832 2188 igfxwl32.exe 39 PID 2912 set thread context of 292 2912 igfxwl32.exe 41 PID 900 set thread context of 404 900 igfxwl32.exe 43 PID 2888 set thread context of 868 2888 igfxwl32.exe 45 PID 1676 set thread context of 2428 1676 igfxwl32.exe 47 PID 2488 set thread context of 2756 2488 igfxwl32.exe 50 PID 2672 set thread context of 2904 2672 igfxwl32.exe 52 PID 2596 set thread context of 1048 2596 igfxwl32.exe 54 PID 2796 set thread context of 624 2796 igfxwl32.exe 56 PID 768 set thread context of 2260 768 igfxwl32.exe 58 PID 2500 set thread context of 480 2500 igfxwl32.exe 60 PID 2912 set thread context of 3060 2912 igfxwl32.exe 62 PID 2392 set thread context of 828 2392 igfxwl32.exe 64 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 2776 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 2776 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 2740 igfxwl32.exe 2544 igfxwl32.exe 2544 igfxwl32.exe 564 igfxwl32.exe 2716 igfxwl32.exe 2716 igfxwl32.exe 768 igfxwl32.exe 2004 igfxwl32.exe 2004 igfxwl32.exe 2188 igfxwl32.exe 832 igfxwl32.exe 832 igfxwl32.exe 2912 igfxwl32.exe 292 igfxwl32.exe 292 igfxwl32.exe 900 igfxwl32.exe 404 igfxwl32.exe 404 igfxwl32.exe 2888 igfxwl32.exe 868 igfxwl32.exe 868 igfxwl32.exe 1676 igfxwl32.exe 2428 igfxwl32.exe 2428 igfxwl32.exe 2488 igfxwl32.exe 2756 igfxwl32.exe 2756 igfxwl32.exe 2672 igfxwl32.exe 2904 igfxwl32.exe 2904 igfxwl32.exe 2596 igfxwl32.exe 1048 igfxwl32.exe 1048 igfxwl32.exe 2796 igfxwl32.exe 624 igfxwl32.exe 624 igfxwl32.exe 768 igfxwl32.exe 2260 igfxwl32.exe 2260 igfxwl32.exe 2500 igfxwl32.exe 480 igfxwl32.exe 480 igfxwl32.exe 2912 igfxwl32.exe 3060 igfxwl32.exe 3060 igfxwl32.exe 2392 igfxwl32.exe 828 igfxwl32.exe 828 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2776 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2740 2776 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 32 PID 2776 wrote to memory of 2740 2776 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 32 PID 2776 wrote to memory of 2740 2776 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 32 PID 2776 wrote to memory of 2740 2776 e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe 32 PID 2740 wrote to memory of 2544 2740 igfxwl32.exe 33 PID 2740 wrote to memory of 2544 2740 igfxwl32.exe 33 PID 2740 wrote to memory of 2544 2740 igfxwl32.exe 33 PID 2740 wrote to memory of 2544 2740 igfxwl32.exe 33 PID 2740 wrote to memory of 2544 2740 igfxwl32.exe 33 PID 2740 wrote to memory of 2544 2740 igfxwl32.exe 33 PID 2740 wrote to memory of 2544 2740 igfxwl32.exe 33 PID 2544 wrote to memory of 564 2544 igfxwl32.exe 34 PID 2544 wrote to memory of 564 2544 igfxwl32.exe 34 PID 2544 wrote to memory of 564 2544 igfxwl32.exe 34 PID 2544 wrote to memory of 564 2544 igfxwl32.exe 34 PID 564 wrote to memory of 2716 564 igfxwl32.exe 35 PID 564 wrote to memory of 2716 564 igfxwl32.exe 35 PID 564 wrote to memory of 2716 564 igfxwl32.exe 35 PID 564 wrote to memory of 2716 564 igfxwl32.exe 35 PID 564 wrote to memory of 2716 564 igfxwl32.exe 35 PID 564 wrote to memory of 2716 564 igfxwl32.exe 35 PID 564 wrote to memory of 2716 564 igfxwl32.exe 35 PID 2716 wrote to memory of 768 2716 igfxwl32.exe 36 PID 2716 wrote to memory of 768 2716 igfxwl32.exe 36 PID 2716 wrote to memory of 768 2716 igfxwl32.exe 36 PID 2716 wrote to memory of 768 2716 igfxwl32.exe 36 PID 768 wrote to memory of 2004 768 igfxwl32.exe 37 PID 768 wrote to memory of 2004 768 igfxwl32.exe 37 PID 768 wrote to memory of 2004 768 igfxwl32.exe 37 PID 768 wrote to memory of 2004 768 igfxwl32.exe 37 PID 768 wrote to memory of 2004 768 igfxwl32.exe 37 PID 768 wrote to memory of 2004 768 igfxwl32.exe 37 PID 768 wrote to memory of 2004 768 igfxwl32.exe 37 PID 2004 wrote to memory of 2188 2004 igfxwl32.exe 38 PID 2004 wrote to memory of 2188 2004 igfxwl32.exe 38 PID 2004 wrote to memory of 2188 2004 igfxwl32.exe 38 PID 2004 wrote to memory of 2188 2004 igfxwl32.exe 38 PID 2188 wrote to memory of 832 2188 igfxwl32.exe 39 PID 2188 wrote to memory of 832 2188 igfxwl32.exe 39 PID 2188 wrote to memory of 832 2188 igfxwl32.exe 39 PID 2188 wrote to memory of 832 2188 igfxwl32.exe 39 PID 2188 wrote to memory of 832 2188 igfxwl32.exe 39 PID 2188 wrote to memory of 832 2188 igfxwl32.exe 39 PID 2188 wrote to memory of 832 2188 igfxwl32.exe 39 PID 832 wrote to memory of 2912 832 igfxwl32.exe 40 PID 832 wrote to memory of 2912 832 igfxwl32.exe 40 PID 832 wrote to memory of 2912 832 igfxwl32.exe 40 PID 832 wrote to memory of 2912 832 igfxwl32.exe 40 PID 2912 wrote to memory of 292 2912 igfxwl32.exe 41 PID 2912 wrote to memory of 292 2912 igfxwl32.exe 41 PID 2912 wrote to memory of 292 2912 igfxwl32.exe 41 PID 2912 wrote to memory of 292 2912 igfxwl32.exe 41 PID 2912 wrote to memory of 292 2912 igfxwl32.exe 41 PID 2912 wrote to memory of 292 2912 igfxwl32.exe 41 PID 2912 wrote to memory of 292 2912 igfxwl32.exe 41 PID 292 wrote to memory of 900 292 igfxwl32.exe 42 PID 292 wrote to memory of 900 292 igfxwl32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4658e0e2726e3df9e57d0803f81131a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\E4658E~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\E4658E~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:900 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:404 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2888 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:868 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2756 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2904 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2596 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1048 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2796 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:624 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:768 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2260 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2500 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:480 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3060 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2392 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:828 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe35⤵
- Executes dropped EXE
PID:1624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5e4658e0e2726e3df9e57d0803f81131a
SHA12010f7a6959a79f6f62fc3b9d60a2fbfaa319576
SHA25632f27b469d6dff3ac95afd75128099dca7ff571e8ba6da207f6b66c5c72a20d5
SHA51236f1940cbf82f4562126cc903c17e0d4335cfb5da31f1266654c4cb72d7b6391343c5675415af7ec0680879d542aeef001bfdf75dd41bc8cf3227678d85fce5f