Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 09:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe
-
Size
170KB
-
MD5
e683ef8b6e8160731e2fe86d49b3fd55
-
SHA1
a2a2a1e7edac0d347545799b3262422026dc9f03
-
SHA256
b810ab4a531b213b97d8396032b96b288dcac0da883d3da4a31e1a72d45e87eb
-
SHA512
f8a32856176de266103785528d218c2fdf1d5a6fe0a08d3f962d54d1eb6ab3d44b302fc26c6218cff6e83d208d6780d7e879754b7c74a01d07a3e792983a57ac
-
SSDEEP
3072:P2USgYgM+Lk7u3+veXR4vWhD9tvXJBZ1w4UVyth+KGMiEcs:D9YaEuuGXR4+D931w/ythmMFcs
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwl32.exe -
Deletes itself 1 IoCs
pid Process 4336 igfxwl32.exe -
Executes dropped EXE 33 IoCs
pid Process 3608 igfxwl32.exe 4336 igfxwl32.exe 1832 igfxwl32.exe 2256 igfxwl32.exe 4608 igfxwl32.exe 1612 igfxwl32.exe 3632 igfxwl32.exe 1228 igfxwl32.exe 1644 igfxwl32.exe 3052 igfxwl32.exe 696 igfxwl32.exe 1984 igfxwl32.exe 4092 igfxwl32.exe 3680 igfxwl32.exe 4952 igfxwl32.exe 4048 igfxwl32.exe 4852 igfxwl32.exe 4276 igfxwl32.exe 3252 igfxwl32.exe 4956 igfxwl32.exe 2520 igfxwl32.exe 3372 igfxwl32.exe 5008 igfxwl32.exe 1456 igfxwl32.exe 1220 igfxwl32.exe 472 igfxwl32.exe 224 igfxwl32.exe 4800 igfxwl32.exe 4388 igfxwl32.exe 1432 igfxwl32.exe 3104 igfxwl32.exe 2904 igfxwl32.exe 4220 igfxwl32.exe -
resource yara_rule behavioral2/memory/4780-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4780-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4780-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4780-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4780-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4336-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4336-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2256-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1612-61-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1228-68-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3052-76-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1984-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3680-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4048-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4276-104-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4956-111-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3372-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1456-128-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/472-137-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4800-145-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1432-153-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2904-161-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 1132 set thread context of 4780 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 86 PID 3608 set thread context of 4336 3608 igfxwl32.exe 91 PID 1832 set thread context of 2256 1832 igfxwl32.exe 93 PID 4608 set thread context of 1612 4608 igfxwl32.exe 97 PID 3632 set thread context of 1228 3632 igfxwl32.exe 99 PID 1644 set thread context of 3052 1644 igfxwl32.exe 101 PID 696 set thread context of 1984 696 igfxwl32.exe 103 PID 4092 set thread context of 3680 4092 igfxwl32.exe 105 PID 4952 set thread context of 4048 4952 igfxwl32.exe 107 PID 4852 set thread context of 4276 4852 igfxwl32.exe 109 PID 3252 set thread context of 4956 3252 igfxwl32.exe 111 PID 2520 set thread context of 3372 2520 igfxwl32.exe 113 PID 5008 set thread context of 1456 5008 igfxwl32.exe 115 PID 1220 set thread context of 472 1220 igfxwl32.exe 117 PID 224 set thread context of 4800 224 igfxwl32.exe 119 PID 4388 set thread context of 1432 4388 igfxwl32.exe 121 PID 3104 set thread context of 2904 3104 igfxwl32.exe 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 4780 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 4780 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 4780 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 4780 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 3608 igfxwl32.exe 3608 igfxwl32.exe 4336 igfxwl32.exe 4336 igfxwl32.exe 4336 igfxwl32.exe 4336 igfxwl32.exe 1832 igfxwl32.exe 1832 igfxwl32.exe 2256 igfxwl32.exe 2256 igfxwl32.exe 2256 igfxwl32.exe 2256 igfxwl32.exe 4608 igfxwl32.exe 4608 igfxwl32.exe 1612 igfxwl32.exe 1612 igfxwl32.exe 1612 igfxwl32.exe 1612 igfxwl32.exe 3632 igfxwl32.exe 3632 igfxwl32.exe 1228 igfxwl32.exe 1228 igfxwl32.exe 1228 igfxwl32.exe 1228 igfxwl32.exe 1644 igfxwl32.exe 1644 igfxwl32.exe 3052 igfxwl32.exe 3052 igfxwl32.exe 3052 igfxwl32.exe 3052 igfxwl32.exe 696 igfxwl32.exe 696 igfxwl32.exe 1984 igfxwl32.exe 1984 igfxwl32.exe 1984 igfxwl32.exe 1984 igfxwl32.exe 4092 igfxwl32.exe 4092 igfxwl32.exe 3680 igfxwl32.exe 3680 igfxwl32.exe 3680 igfxwl32.exe 3680 igfxwl32.exe 4952 igfxwl32.exe 4952 igfxwl32.exe 4048 igfxwl32.exe 4048 igfxwl32.exe 4048 igfxwl32.exe 4048 igfxwl32.exe 4852 igfxwl32.exe 4852 igfxwl32.exe 4276 igfxwl32.exe 4276 igfxwl32.exe 4276 igfxwl32.exe 4276 igfxwl32.exe 3252 igfxwl32.exe 3252 igfxwl32.exe 4956 igfxwl32.exe 4956 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1132 wrote to memory of 4780 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 86 PID 1132 wrote to memory of 4780 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 86 PID 1132 wrote to memory of 4780 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 86 PID 1132 wrote to memory of 4780 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 86 PID 1132 wrote to memory of 4780 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 86 PID 1132 wrote to memory of 4780 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 86 PID 1132 wrote to memory of 4780 1132 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 86 PID 4780 wrote to memory of 3608 4780 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 88 PID 4780 wrote to memory of 3608 4780 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 88 PID 4780 wrote to memory of 3608 4780 e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe 88 PID 3608 wrote to memory of 4336 3608 igfxwl32.exe 91 PID 3608 wrote to memory of 4336 3608 igfxwl32.exe 91 PID 3608 wrote to memory of 4336 3608 igfxwl32.exe 91 PID 3608 wrote to memory of 4336 3608 igfxwl32.exe 91 PID 3608 wrote to memory of 4336 3608 igfxwl32.exe 91 PID 3608 wrote to memory of 4336 3608 igfxwl32.exe 91 PID 3608 wrote to memory of 4336 3608 igfxwl32.exe 91 PID 4336 wrote to memory of 1832 4336 igfxwl32.exe 92 PID 4336 wrote to memory of 1832 4336 igfxwl32.exe 92 PID 4336 wrote to memory of 1832 4336 igfxwl32.exe 92 PID 1832 wrote to memory of 2256 1832 igfxwl32.exe 93 PID 1832 wrote to memory of 2256 1832 igfxwl32.exe 93 PID 1832 wrote to memory of 2256 1832 igfxwl32.exe 93 PID 1832 wrote to memory of 2256 1832 igfxwl32.exe 93 PID 1832 wrote to memory of 2256 1832 igfxwl32.exe 93 PID 1832 wrote to memory of 2256 1832 igfxwl32.exe 93 PID 1832 wrote to memory of 2256 1832 igfxwl32.exe 93 PID 2256 wrote to memory of 4608 2256 igfxwl32.exe 94 PID 2256 wrote to memory of 4608 2256 igfxwl32.exe 94 PID 2256 wrote to memory of 4608 2256 igfxwl32.exe 94 PID 4608 wrote to memory of 1612 4608 igfxwl32.exe 97 PID 4608 wrote to memory of 1612 4608 igfxwl32.exe 97 PID 4608 wrote to memory of 1612 4608 igfxwl32.exe 97 PID 4608 wrote to memory of 1612 4608 igfxwl32.exe 97 PID 4608 wrote to memory of 1612 4608 igfxwl32.exe 97 PID 4608 wrote to memory of 1612 4608 igfxwl32.exe 97 PID 4608 wrote to memory of 1612 4608 igfxwl32.exe 97 PID 1612 wrote to memory of 3632 1612 igfxwl32.exe 98 PID 1612 wrote to memory of 3632 1612 igfxwl32.exe 98 PID 1612 wrote to memory of 3632 1612 igfxwl32.exe 98 PID 3632 wrote to memory of 1228 3632 igfxwl32.exe 99 PID 3632 wrote to memory of 1228 3632 igfxwl32.exe 99 PID 3632 wrote to memory of 1228 3632 igfxwl32.exe 99 PID 3632 wrote to memory of 1228 3632 igfxwl32.exe 99 PID 3632 wrote to memory of 1228 3632 igfxwl32.exe 99 PID 3632 wrote to memory of 1228 3632 igfxwl32.exe 99 PID 3632 wrote to memory of 1228 3632 igfxwl32.exe 99 PID 1228 wrote to memory of 1644 1228 igfxwl32.exe 100 PID 1228 wrote to memory of 1644 1228 igfxwl32.exe 100 PID 1228 wrote to memory of 1644 1228 igfxwl32.exe 100 PID 1644 wrote to memory of 3052 1644 igfxwl32.exe 101 PID 1644 wrote to memory of 3052 1644 igfxwl32.exe 101 PID 1644 wrote to memory of 3052 1644 igfxwl32.exe 101 PID 1644 wrote to memory of 3052 1644 igfxwl32.exe 101 PID 1644 wrote to memory of 3052 1644 igfxwl32.exe 101 PID 1644 wrote to memory of 3052 1644 igfxwl32.exe 101 PID 1644 wrote to memory of 3052 1644 igfxwl32.exe 101 PID 3052 wrote to memory of 696 3052 igfxwl32.exe 102 PID 3052 wrote to memory of 696 3052 igfxwl32.exe 102 PID 3052 wrote to memory of 696 3052 igfxwl32.exe 102 PID 696 wrote to memory of 1984 696 igfxwl32.exe 103 PID 696 wrote to memory of 1984 696 igfxwl32.exe 103 PID 696 wrote to memory of 1984 696 igfxwl32.exe 103 PID 696 wrote to memory of 1984 696 igfxwl32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e683ef8b6e8160731e2fe86d49b3fd55_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\E683EF~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\E683EF~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1984 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4092 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3680 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4952 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4048 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4852 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4276 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3252 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4956 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4800 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3104 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe35⤵
- Executes dropped EXE
PID:4220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5e683ef8b6e8160731e2fe86d49b3fd55
SHA1a2a2a1e7edac0d347545799b3262422026dc9f03
SHA256b810ab4a531b213b97d8396032b96b288dcac0da883d3da4a31e1a72d45e87eb
SHA512f8a32856176de266103785528d218c2fdf1d5a6fe0a08d3f962d54d1eb6ab3d44b302fc26c6218cff6e83d208d6780d7e879754b7c74a01d07a3e792983a57ac