Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 14:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe
-
Size
170KB
-
MD5
edc3b2e52d165b6c7beb50d591cba878
-
SHA1
1450e4f778dc6a68db89dd54c406dd8868d41f0a
-
SHA256
3d68cd3cd94edb3d4cc248294be736efb4673254175a28db1f04e4751b1479ac
-
SHA512
66cee0d2ca7613a4162db93e1f5e675a8972e5d73def01534b6272845bd64eec8f8408d7ca9cff7d34a332e539f2ea9a70af0b235ef8337ce8ea36188995f98d
-
SSDEEP
3072:M2nrY9mH+GU3hrGrGF2m0Y26SZUHK9ani4AOr/GaMl9gbUXAjNXXB99ueLK9er:brY973YiF2Tqni4AvarbOQR99uAyc
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation igfxwl32.exe -
Deletes itself 1 IoCs
pid Process 2992 igfxwl32.exe -
Executes dropped EXE 32 IoCs
pid Process 3004 igfxwl32.exe 2992 igfxwl32.exe 856 igfxwl32.exe 384 igfxwl32.exe 4780 igfxwl32.exe 1384 igfxwl32.exe 5040 igfxwl32.exe 4872 igfxwl32.exe 2324 igfxwl32.exe 3940 igfxwl32.exe 4876 igfxwl32.exe 2504 igfxwl32.exe 4816 igfxwl32.exe 2476 igfxwl32.exe 2396 igfxwl32.exe 2960 igfxwl32.exe 2592 igfxwl32.exe 4356 igfxwl32.exe 3344 igfxwl32.exe 3172 igfxwl32.exe 208 igfxwl32.exe 1428 igfxwl32.exe 1992 igfxwl32.exe 1768 igfxwl32.exe 2944 igfxwl32.exe 3324 igfxwl32.exe 1044 igfxwl32.exe 2772 igfxwl32.exe 1460 igfxwl32.exe 1240 igfxwl32.exe 2448 igfxwl32.exe 4764 igfxwl32.exe -
resource yara_rule behavioral2/memory/2296-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2296-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2296-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2296-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2296-37-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2992-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2992-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2992-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2992-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/384-51-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/384-52-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/384-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1384-61-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4872-68-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3940-76-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2504-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2476-90-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2960-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4356-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3172-112-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1428-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1768-129-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3324-137-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2772-145-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1240-154-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 216 set thread context of 2296 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 86 PID 3004 set thread context of 2992 3004 igfxwl32.exe 91 PID 856 set thread context of 384 856 igfxwl32.exe 93 PID 4780 set thread context of 1384 4780 igfxwl32.exe 97 PID 5040 set thread context of 4872 5040 igfxwl32.exe 99 PID 2324 set thread context of 3940 2324 igfxwl32.exe 101 PID 4876 set thread context of 2504 4876 igfxwl32.exe 103 PID 4816 set thread context of 2476 4816 igfxwl32.exe 105 PID 2396 set thread context of 2960 2396 igfxwl32.exe 107 PID 2592 set thread context of 4356 2592 igfxwl32.exe 109 PID 3344 set thread context of 3172 3344 igfxwl32.exe 111 PID 208 set thread context of 1428 208 igfxwl32.exe 113 PID 1992 set thread context of 1768 1992 igfxwl32.exe 115 PID 2944 set thread context of 3324 2944 igfxwl32.exe 117 PID 1044 set thread context of 2772 1044 igfxwl32.exe 119 PID 1460 set thread context of 1240 1460 igfxwl32.exe 121 PID 2448 set thread context of 4764 2448 igfxwl32.exe 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 2296 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 2296 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 2296 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 2296 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 3004 igfxwl32.exe 3004 igfxwl32.exe 2992 igfxwl32.exe 2992 igfxwl32.exe 2992 igfxwl32.exe 2992 igfxwl32.exe 856 igfxwl32.exe 856 igfxwl32.exe 384 igfxwl32.exe 384 igfxwl32.exe 384 igfxwl32.exe 384 igfxwl32.exe 4780 igfxwl32.exe 4780 igfxwl32.exe 1384 igfxwl32.exe 1384 igfxwl32.exe 1384 igfxwl32.exe 1384 igfxwl32.exe 5040 igfxwl32.exe 5040 igfxwl32.exe 4872 igfxwl32.exe 4872 igfxwl32.exe 4872 igfxwl32.exe 4872 igfxwl32.exe 2324 igfxwl32.exe 2324 igfxwl32.exe 3940 igfxwl32.exe 3940 igfxwl32.exe 3940 igfxwl32.exe 3940 igfxwl32.exe 4876 igfxwl32.exe 4876 igfxwl32.exe 2504 igfxwl32.exe 2504 igfxwl32.exe 2504 igfxwl32.exe 2504 igfxwl32.exe 4816 igfxwl32.exe 4816 igfxwl32.exe 2476 igfxwl32.exe 2476 igfxwl32.exe 2476 igfxwl32.exe 2476 igfxwl32.exe 2396 igfxwl32.exe 2396 igfxwl32.exe 2960 igfxwl32.exe 2960 igfxwl32.exe 2960 igfxwl32.exe 2960 igfxwl32.exe 2592 igfxwl32.exe 2592 igfxwl32.exe 4356 igfxwl32.exe 4356 igfxwl32.exe 4356 igfxwl32.exe 4356 igfxwl32.exe 3344 igfxwl32.exe 3344 igfxwl32.exe 3172 igfxwl32.exe 3172 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 216 wrote to memory of 2296 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 86 PID 216 wrote to memory of 2296 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 86 PID 216 wrote to memory of 2296 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 86 PID 216 wrote to memory of 2296 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 86 PID 216 wrote to memory of 2296 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 86 PID 216 wrote to memory of 2296 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 86 PID 216 wrote to memory of 2296 216 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 86 PID 2296 wrote to memory of 3004 2296 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3004 2296 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 88 PID 2296 wrote to memory of 3004 2296 edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe 88 PID 3004 wrote to memory of 2992 3004 igfxwl32.exe 91 PID 3004 wrote to memory of 2992 3004 igfxwl32.exe 91 PID 3004 wrote to memory of 2992 3004 igfxwl32.exe 91 PID 3004 wrote to memory of 2992 3004 igfxwl32.exe 91 PID 3004 wrote to memory of 2992 3004 igfxwl32.exe 91 PID 3004 wrote to memory of 2992 3004 igfxwl32.exe 91 PID 3004 wrote to memory of 2992 3004 igfxwl32.exe 91 PID 2992 wrote to memory of 856 2992 igfxwl32.exe 92 PID 2992 wrote to memory of 856 2992 igfxwl32.exe 92 PID 2992 wrote to memory of 856 2992 igfxwl32.exe 92 PID 856 wrote to memory of 384 856 igfxwl32.exe 93 PID 856 wrote to memory of 384 856 igfxwl32.exe 93 PID 856 wrote to memory of 384 856 igfxwl32.exe 93 PID 856 wrote to memory of 384 856 igfxwl32.exe 93 PID 856 wrote to memory of 384 856 igfxwl32.exe 93 PID 856 wrote to memory of 384 856 igfxwl32.exe 93 PID 856 wrote to memory of 384 856 igfxwl32.exe 93 PID 384 wrote to memory of 4780 384 igfxwl32.exe 94 PID 384 wrote to memory of 4780 384 igfxwl32.exe 94 PID 384 wrote to memory of 4780 384 igfxwl32.exe 94 PID 4780 wrote to memory of 1384 4780 igfxwl32.exe 97 PID 4780 wrote to memory of 1384 4780 igfxwl32.exe 97 PID 4780 wrote to memory of 1384 4780 igfxwl32.exe 97 PID 4780 wrote to memory of 1384 4780 igfxwl32.exe 97 PID 4780 wrote to memory of 1384 4780 igfxwl32.exe 97 PID 4780 wrote to memory of 1384 4780 igfxwl32.exe 97 PID 4780 wrote to memory of 1384 4780 igfxwl32.exe 97 PID 1384 wrote to memory of 5040 1384 igfxwl32.exe 98 PID 1384 wrote to memory of 5040 1384 igfxwl32.exe 98 PID 1384 wrote to memory of 5040 1384 igfxwl32.exe 98 PID 5040 wrote to memory of 4872 5040 igfxwl32.exe 99 PID 5040 wrote to memory of 4872 5040 igfxwl32.exe 99 PID 5040 wrote to memory of 4872 5040 igfxwl32.exe 99 PID 5040 wrote to memory of 4872 5040 igfxwl32.exe 99 PID 5040 wrote to memory of 4872 5040 igfxwl32.exe 99 PID 5040 wrote to memory of 4872 5040 igfxwl32.exe 99 PID 5040 wrote to memory of 4872 5040 igfxwl32.exe 99 PID 4872 wrote to memory of 2324 4872 igfxwl32.exe 100 PID 4872 wrote to memory of 2324 4872 igfxwl32.exe 100 PID 4872 wrote to memory of 2324 4872 igfxwl32.exe 100 PID 2324 wrote to memory of 3940 2324 igfxwl32.exe 101 PID 2324 wrote to memory of 3940 2324 igfxwl32.exe 101 PID 2324 wrote to memory of 3940 2324 igfxwl32.exe 101 PID 2324 wrote to memory of 3940 2324 igfxwl32.exe 101 PID 2324 wrote to memory of 3940 2324 igfxwl32.exe 101 PID 2324 wrote to memory of 3940 2324 igfxwl32.exe 101 PID 2324 wrote to memory of 3940 2324 igfxwl32.exe 101 PID 3940 wrote to memory of 4876 3940 igfxwl32.exe 102 PID 3940 wrote to memory of 4876 3940 igfxwl32.exe 102 PID 3940 wrote to memory of 4876 3940 igfxwl32.exe 102 PID 4876 wrote to memory of 2504 4876 igfxwl32.exe 103 PID 4876 wrote to memory of 2504 4876 igfxwl32.exe 103 PID 4876 wrote to memory of 2504 4876 igfxwl32.exe 103 PID 4876 wrote to memory of 2504 4876 igfxwl32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edc3b2e52d165b6c7beb50d591cba878_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\EDC3B2~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\EDC3B2~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4816 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2476 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2396 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4356 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3344 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3172 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5edc3b2e52d165b6c7beb50d591cba878
SHA11450e4f778dc6a68db89dd54c406dd8868d41f0a
SHA2563d68cd3cd94edb3d4cc248294be736efb4673254175a28db1f04e4751b1479ac
SHA51266cee0d2ca7613a4162db93e1f5e675a8972e5d73def01534b6272845bd64eec8f8408d7ca9cff7d34a332e539f2ea9a70af0b235ef8337ce8ea36188995f98d