Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 09:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe
-
Size
170KB
-
MD5
e683ef8b6e8160731e2fe86d49b3fd55
-
SHA1
a2a2a1e7edac0d347545799b3262422026dc9f03
-
SHA256
b810ab4a531b213b97d8396032b96b288dcac0da883d3da4a31e1a72d45e87eb
-
SHA512
f8a32856176de266103785528d218c2fdf1d5a6fe0a08d3f962d54d1eb6ab3d44b302fc26c6218cff6e83d208d6780d7e879754b7c74a01d07a3e792983a57ac
-
SSDEEP
3072:P2USgYgM+Lk7u3+veXR4vWhD9tvXJBZ1w4UVyth+KGMiEcs:D9YaEuuGXR4+D931w/ythmMFcs
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2164 igfxwl32.exe -
Executes dropped EXE 33 IoCs
pid Process 2652 igfxwl32.exe 2164 igfxwl32.exe 2732 igfxwl32.exe 2592 igfxwl32.exe 1304 igfxwl32.exe 1992 igfxwl32.exe 2548 igfxwl32.exe 640 igfxwl32.exe 2908 igfxwl32.exe 3068 igfxwl32.exe 304 igfxwl32.exe 2540 igfxwl32.exe 1868 igfxwl32.exe 1952 igfxwl32.exe 1528 igfxwl32.exe 2280 igfxwl32.exe 2264 igfxwl32.exe 2480 igfxwl32.exe 2200 igfxwl32.exe 2028 igfxwl32.exe 2700 igfxwl32.exe 2884 igfxwl32.exe 2840 igfxwl32.exe 2288 igfxwl32.exe 1256 igfxwl32.exe 1996 igfxwl32.exe 1680 igfxwl32.exe 1912 igfxwl32.exe 2944 igfxwl32.exe 2000 igfxwl32.exe 2948 igfxwl32.exe 2428 igfxwl32.exe 1700 igfxwl32.exe -
Loads dropped DLL 33 IoCs
pid Process 2640 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 2652 igfxwl32.exe 2164 igfxwl32.exe 2732 igfxwl32.exe 2592 igfxwl32.exe 1304 igfxwl32.exe 1992 igfxwl32.exe 2548 igfxwl32.exe 640 igfxwl32.exe 2908 igfxwl32.exe 3068 igfxwl32.exe 304 igfxwl32.exe 2540 igfxwl32.exe 1868 igfxwl32.exe 1952 igfxwl32.exe 1528 igfxwl32.exe 2280 igfxwl32.exe 2264 igfxwl32.exe 2480 igfxwl32.exe 2200 igfxwl32.exe 2028 igfxwl32.exe 2700 igfxwl32.exe 2884 igfxwl32.exe 2840 igfxwl32.exe 2288 igfxwl32.exe 1256 igfxwl32.exe 1996 igfxwl32.exe 1680 igfxwl32.exe 1912 igfxwl32.exe 2944 igfxwl32.exe 2000 igfxwl32.exe 2948 igfxwl32.exe 2428 igfxwl32.exe -
resource yara_rule behavioral1/memory/2640-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2640-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2640-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2640-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2640-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2640-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2640-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2640-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2164-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2164-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2164-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2164-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2164-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2592-50-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2592-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1992-67-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1992-73-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/640-85-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/640-90-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3068-102-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3068-101-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3068-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3068-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2540-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2540-124-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1952-137-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1952-143-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2280-155-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2280-159-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2480-171-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2480-178-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2028-189-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2028-195-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2884-207-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2884-213-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2288-229-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1996-245-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1912-259-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2000-271-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2428-283-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 1484 set thread context of 2640 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 31 PID 2652 set thread context of 2164 2652 igfxwl32.exe 33 PID 2732 set thread context of 2592 2732 igfxwl32.exe 35 PID 1304 set thread context of 1992 1304 igfxwl32.exe 37 PID 2548 set thread context of 640 2548 igfxwl32.exe 39 PID 2908 set thread context of 3068 2908 igfxwl32.exe 41 PID 304 set thread context of 2540 304 igfxwl32.exe 43 PID 1868 set thread context of 1952 1868 igfxwl32.exe 45 PID 1528 set thread context of 2280 1528 igfxwl32.exe 47 PID 2264 set thread context of 2480 2264 igfxwl32.exe 49 PID 2200 set thread context of 2028 2200 igfxwl32.exe 51 PID 2700 set thread context of 2884 2700 igfxwl32.exe 53 PID 2840 set thread context of 2288 2840 igfxwl32.exe 56 PID 1256 set thread context of 1996 1256 igfxwl32.exe 58 PID 1680 set thread context of 1912 1680 igfxwl32.exe 60 PID 2944 set thread context of 2000 2944 igfxwl32.exe 62 PID 2948 set thread context of 2428 2948 igfxwl32.exe 64 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 2640 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 2640 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 2652 igfxwl32.exe 2164 igfxwl32.exe 2164 igfxwl32.exe 2732 igfxwl32.exe 2592 igfxwl32.exe 2592 igfxwl32.exe 1304 igfxwl32.exe 1992 igfxwl32.exe 1992 igfxwl32.exe 2548 igfxwl32.exe 640 igfxwl32.exe 640 igfxwl32.exe 2908 igfxwl32.exe 3068 igfxwl32.exe 3068 igfxwl32.exe 304 igfxwl32.exe 2540 igfxwl32.exe 2540 igfxwl32.exe 1868 igfxwl32.exe 1952 igfxwl32.exe 1952 igfxwl32.exe 1528 igfxwl32.exe 2280 igfxwl32.exe 2280 igfxwl32.exe 2264 igfxwl32.exe 2480 igfxwl32.exe 2480 igfxwl32.exe 2200 igfxwl32.exe 2028 igfxwl32.exe 2028 igfxwl32.exe 2700 igfxwl32.exe 2884 igfxwl32.exe 2884 igfxwl32.exe 2840 igfxwl32.exe 2288 igfxwl32.exe 2288 igfxwl32.exe 1256 igfxwl32.exe 1996 igfxwl32.exe 1996 igfxwl32.exe 1680 igfxwl32.exe 1912 igfxwl32.exe 1912 igfxwl32.exe 2944 igfxwl32.exe 2000 igfxwl32.exe 2000 igfxwl32.exe 2948 igfxwl32.exe 2428 igfxwl32.exe 2428 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1484 wrote to memory of 2640 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 31 PID 1484 wrote to memory of 2640 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 31 PID 1484 wrote to memory of 2640 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 31 PID 1484 wrote to memory of 2640 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 31 PID 1484 wrote to memory of 2640 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 31 PID 1484 wrote to memory of 2640 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 31 PID 1484 wrote to memory of 2640 1484 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 31 PID 2640 wrote to memory of 2652 2640 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 32 PID 2640 wrote to memory of 2652 2640 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 32 PID 2640 wrote to memory of 2652 2640 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 32 PID 2640 wrote to memory of 2652 2640 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 32 PID 2652 wrote to memory of 2164 2652 igfxwl32.exe 33 PID 2652 wrote to memory of 2164 2652 igfxwl32.exe 33 PID 2652 wrote to memory of 2164 2652 igfxwl32.exe 33 PID 2652 wrote to memory of 2164 2652 igfxwl32.exe 33 PID 2652 wrote to memory of 2164 2652 igfxwl32.exe 33 PID 2652 wrote to memory of 2164 2652 igfxwl32.exe 33 PID 2652 wrote to memory of 2164 2652 igfxwl32.exe 33 PID 2164 wrote to memory of 2732 2164 igfxwl32.exe 34 PID 2164 wrote to memory of 2732 2164 igfxwl32.exe 34 PID 2164 wrote to memory of 2732 2164 igfxwl32.exe 34 PID 2164 wrote to memory of 2732 2164 igfxwl32.exe 34 PID 2732 wrote to memory of 2592 2732 igfxwl32.exe 35 PID 2732 wrote to memory of 2592 2732 igfxwl32.exe 35 PID 2732 wrote to memory of 2592 2732 igfxwl32.exe 35 PID 2732 wrote to memory of 2592 2732 igfxwl32.exe 35 PID 2732 wrote to memory of 2592 2732 igfxwl32.exe 35 PID 2732 wrote to memory of 2592 2732 igfxwl32.exe 35 PID 2732 wrote to memory of 2592 2732 igfxwl32.exe 35 PID 2592 wrote to memory of 1304 2592 igfxwl32.exe 36 PID 2592 wrote to memory of 1304 2592 igfxwl32.exe 36 PID 2592 wrote to memory of 1304 2592 igfxwl32.exe 36 PID 2592 wrote to memory of 1304 2592 igfxwl32.exe 36 PID 1304 wrote to memory of 1992 1304 igfxwl32.exe 37 PID 1304 wrote to memory of 1992 1304 igfxwl32.exe 37 PID 1304 wrote to memory of 1992 1304 igfxwl32.exe 37 PID 1304 wrote to memory of 1992 1304 igfxwl32.exe 37 PID 1304 wrote to memory of 1992 1304 igfxwl32.exe 37 PID 1304 wrote to memory of 1992 1304 igfxwl32.exe 37 PID 1304 wrote to memory of 1992 1304 igfxwl32.exe 37 PID 1992 wrote to memory of 2548 1992 igfxwl32.exe 38 PID 1992 wrote to memory of 2548 1992 igfxwl32.exe 38 PID 1992 wrote to memory of 2548 1992 igfxwl32.exe 38 PID 1992 wrote to memory of 2548 1992 igfxwl32.exe 38 PID 2548 wrote to memory of 640 2548 igfxwl32.exe 39 PID 2548 wrote to memory of 640 2548 igfxwl32.exe 39 PID 2548 wrote to memory of 640 2548 igfxwl32.exe 39 PID 2548 wrote to memory of 640 2548 igfxwl32.exe 39 PID 2548 wrote to memory of 640 2548 igfxwl32.exe 39 PID 2548 wrote to memory of 640 2548 igfxwl32.exe 39 PID 2548 wrote to memory of 640 2548 igfxwl32.exe 39 PID 640 wrote to memory of 2908 640 igfxwl32.exe 40 PID 640 wrote to memory of 2908 640 igfxwl32.exe 40 PID 640 wrote to memory of 2908 640 igfxwl32.exe 40 PID 640 wrote to memory of 2908 640 igfxwl32.exe 40 PID 2908 wrote to memory of 3068 2908 igfxwl32.exe 41 PID 2908 wrote to memory of 3068 2908 igfxwl32.exe 41 PID 2908 wrote to memory of 3068 2908 igfxwl32.exe 41 PID 2908 wrote to memory of 3068 2908 igfxwl32.exe 41 PID 2908 wrote to memory of 3068 2908 igfxwl32.exe 41 PID 2908 wrote to memory of 3068 2908 igfxwl32.exe 41 PID 2908 wrote to memory of 3068 2908 igfxwl32.exe 41 PID 3068 wrote to memory of 304 3068 igfxwl32.exe 42 PID 3068 wrote to memory of 304 3068 igfxwl32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\E683EF~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\E683EF~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:304 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2540 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1868 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1952 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2280 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2264 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2480 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2200 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2028 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1256 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1680 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1912 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2944 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe35⤵
- Executes dropped EXE
PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5e683ef8b6e8160731e2fe86d49b3fd55
SHA1a2a2a1e7edac0d347545799b3262422026dc9f03
SHA256b810ab4a531b213b97d8396032b96b288dcac0da883d3da4a31e1a72d45e87eb
SHA512f8a32856176de266103785528d218c2fdf1d5a6fe0a08d3f962d54d1eb6ab3d44b302fc26c6218cff6e83d208d6780d7e879754b7c74a01d07a3e792983a57ac