Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 06:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe
-
Size
212KB
-
MD5
ef3d6f4bd62f84db332e1d0fbdbb4537
-
SHA1
543f4273a69641ebd51d2a0f0bf763f25bb2abe3
-
SHA256
62d8e098de999619b1398b6b676d5ab3b2e8bda7e187b1d83dbfa7edece280f2
-
SHA512
8d29de043da9c5cb6e08694d15bca6cb9591da41b7d20a60db579bfd160c9e4394d530a26fd523c5ce777c0340f59962878602125a5a9841830991d475161fcd
-
SSDEEP
6144:9bAKuUtGfJeurOpVvJ88UzeWs4G+nL1a5:9bAKu2rTvy8U44Gqs
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2524 igfxwf32.exe -
Executes dropped EXE 29 IoCs
pid Process 2588 igfxwf32.exe 2524 igfxwf32.exe 1120 igfxwf32.exe 2488 igfxwf32.exe 2100 igfxwf32.exe 2544 igfxwf32.exe 2192 igfxwf32.exe 300 igfxwf32.exe 2760 igfxwf32.exe 2368 igfxwf32.exe 1044 igfxwf32.exe 1076 igfxwf32.exe 824 igfxwf32.exe 1744 igfxwf32.exe 624 igfxwf32.exe 2460 igfxwf32.exe 2216 igfxwf32.exe 2796 igfxwf32.exe 2732 igfxwf32.exe 2892 igfxwf32.exe 2024 igfxwf32.exe 1500 igfxwf32.exe 1700 igfxwf32.exe 2560 igfxwf32.exe 1796 igfxwf32.exe 2848 igfxwf32.exe 2912 igfxwf32.exe 1704 igfxwf32.exe 1952 igfxwf32.exe -
Loads dropped DLL 29 IoCs
pid Process 2292 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 2588 igfxwf32.exe 2524 igfxwf32.exe 1120 igfxwf32.exe 2488 igfxwf32.exe 2100 igfxwf32.exe 2544 igfxwf32.exe 2192 igfxwf32.exe 300 igfxwf32.exe 2760 igfxwf32.exe 2368 igfxwf32.exe 1044 igfxwf32.exe 1076 igfxwf32.exe 824 igfxwf32.exe 1744 igfxwf32.exe 624 igfxwf32.exe 2460 igfxwf32.exe 2216 igfxwf32.exe 2796 igfxwf32.exe 2732 igfxwf32.exe 2892 igfxwf32.exe 2024 igfxwf32.exe 1500 igfxwf32.exe 1700 igfxwf32.exe 2560 igfxwf32.exe 1796 igfxwf32.exe 2848 igfxwf32.exe 2912 igfxwf32.exe 1704 igfxwf32.exe -
resource yara_rule behavioral1/memory/2292-4-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2292-8-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2292-9-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2292-7-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2292-6-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2292-2-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2292-3-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2292-19-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2524-30-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2524-29-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2524-31-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2524-32-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2524-38-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2488-52-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2544-63-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2544-71-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/300-87-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2368-103-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1076-120-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1744-137-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2460-153-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2796-170-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2892-186-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1500-203-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2560-219-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2848-235-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1704-249-0x0000000000400000-0x0000000000467000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwf32.exe ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 2720 set thread context of 2292 2720 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 30 PID 2588 set thread context of 2524 2588 igfxwf32.exe 32 PID 1120 set thread context of 2488 1120 igfxwf32.exe 35 PID 2100 set thread context of 2544 2100 igfxwf32.exe 37 PID 2192 set thread context of 300 2192 igfxwf32.exe 39 PID 2760 set thread context of 2368 2760 igfxwf32.exe 41 PID 1044 set thread context of 1076 1044 igfxwf32.exe 43 PID 824 set thread context of 1744 824 igfxwf32.exe 45 PID 624 set thread context of 2460 624 igfxwf32.exe 47 PID 2216 set thread context of 2796 2216 igfxwf32.exe 49 PID 2732 set thread context of 2892 2732 igfxwf32.exe 51 PID 2024 set thread context of 1500 2024 igfxwf32.exe 53 PID 1700 set thread context of 2560 1700 igfxwf32.exe 55 PID 1796 set thread context of 2848 1796 igfxwf32.exe 57 PID 2912 set thread context of 1704 2912 igfxwf32.exe 59 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2292 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 2292 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 2524 igfxwf32.exe 2524 igfxwf32.exe 2488 igfxwf32.exe 2488 igfxwf32.exe 2544 igfxwf32.exe 2544 igfxwf32.exe 300 igfxwf32.exe 300 igfxwf32.exe 2368 igfxwf32.exe 2368 igfxwf32.exe 1076 igfxwf32.exe 1076 igfxwf32.exe 1744 igfxwf32.exe 1744 igfxwf32.exe 2460 igfxwf32.exe 2460 igfxwf32.exe 2796 igfxwf32.exe 2796 igfxwf32.exe 2892 igfxwf32.exe 2892 igfxwf32.exe 1500 igfxwf32.exe 1500 igfxwf32.exe 2560 igfxwf32.exe 2560 igfxwf32.exe 2848 igfxwf32.exe 2848 igfxwf32.exe 1704 igfxwf32.exe 1704 igfxwf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2292 2720 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2292 2720 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2292 2720 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2292 2720 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2292 2720 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2292 2720 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2292 2720 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2588 2292 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2588 2292 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2588 2292 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2588 2292 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 31 PID 2588 wrote to memory of 2524 2588 igfxwf32.exe 32 PID 2588 wrote to memory of 2524 2588 igfxwf32.exe 32 PID 2588 wrote to memory of 2524 2588 igfxwf32.exe 32 PID 2588 wrote to memory of 2524 2588 igfxwf32.exe 32 PID 2588 wrote to memory of 2524 2588 igfxwf32.exe 32 PID 2588 wrote to memory of 2524 2588 igfxwf32.exe 32 PID 2588 wrote to memory of 2524 2588 igfxwf32.exe 32 PID 2524 wrote to memory of 1120 2524 igfxwf32.exe 33 PID 2524 wrote to memory of 1120 2524 igfxwf32.exe 33 PID 2524 wrote to memory of 1120 2524 igfxwf32.exe 33 PID 2524 wrote to memory of 1120 2524 igfxwf32.exe 33 PID 1120 wrote to memory of 2488 1120 igfxwf32.exe 35 PID 1120 wrote to memory of 2488 1120 igfxwf32.exe 35 PID 1120 wrote to memory of 2488 1120 igfxwf32.exe 35 PID 1120 wrote to memory of 2488 1120 igfxwf32.exe 35 PID 1120 wrote to memory of 2488 1120 igfxwf32.exe 35 PID 1120 wrote to memory of 2488 1120 igfxwf32.exe 35 PID 1120 wrote to memory of 2488 1120 igfxwf32.exe 35 PID 2488 wrote to memory of 2100 2488 igfxwf32.exe 36 PID 2488 wrote to memory of 2100 2488 igfxwf32.exe 36 PID 2488 wrote to memory of 2100 2488 igfxwf32.exe 36 PID 2488 wrote to memory of 2100 2488 igfxwf32.exe 36 PID 2100 wrote to memory of 2544 2100 igfxwf32.exe 37 PID 2100 wrote to memory of 2544 2100 igfxwf32.exe 37 PID 2100 wrote to memory of 2544 2100 igfxwf32.exe 37 PID 2100 wrote to memory of 2544 2100 igfxwf32.exe 37 PID 2100 wrote to memory of 2544 2100 igfxwf32.exe 37 PID 2100 wrote to memory of 2544 2100 igfxwf32.exe 37 PID 2100 wrote to memory of 2544 2100 igfxwf32.exe 37 PID 2544 wrote to memory of 2192 2544 igfxwf32.exe 38 PID 2544 wrote to memory of 2192 2544 igfxwf32.exe 38 PID 2544 wrote to memory of 2192 2544 igfxwf32.exe 38 PID 2544 wrote to memory of 2192 2544 igfxwf32.exe 38 PID 2192 wrote to memory of 300 2192 igfxwf32.exe 39 PID 2192 wrote to memory of 300 2192 igfxwf32.exe 39 PID 2192 wrote to memory of 300 2192 igfxwf32.exe 39 PID 2192 wrote to memory of 300 2192 igfxwf32.exe 39 PID 2192 wrote to memory of 300 2192 igfxwf32.exe 39 PID 2192 wrote to memory of 300 2192 igfxwf32.exe 39 PID 2192 wrote to memory of 300 2192 igfxwf32.exe 39 PID 300 wrote to memory of 2760 300 igfxwf32.exe 40 PID 300 wrote to memory of 2760 300 igfxwf32.exe 40 PID 300 wrote to memory of 2760 300 igfxwf32.exe 40 PID 300 wrote to memory of 2760 300 igfxwf32.exe 40 PID 2760 wrote to memory of 2368 2760 igfxwf32.exe 41 PID 2760 wrote to memory of 2368 2760 igfxwf32.exe 41 PID 2760 wrote to memory of 2368 2760 igfxwf32.exe 41 PID 2760 wrote to memory of 2368 2760 igfxwf32.exe 41 PID 2760 wrote to memory of 2368 2760 igfxwf32.exe 41 PID 2760 wrote to memory of 2368 2760 igfxwf32.exe 41 PID 2760 wrote to memory of 2368 2760 igfxwf32.exe 41 PID 2368 wrote to memory of 1044 2368 igfxwf32.exe 42 PID 2368 wrote to memory of 1044 2368 igfxwf32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Users\Admin\AppData\Local\Temp\EF3D6F~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Users\Admin\AppData\Local\Temp\EF3D6F~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1076 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1744 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2460 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2796 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2892 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2848 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe31⤵
- Executes dropped EXE
PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5ef3d6f4bd62f84db332e1d0fbdbb4537
SHA1543f4273a69641ebd51d2a0f0bf763f25bb2abe3
SHA25662d8e098de999619b1398b6b676d5ab3b2e8bda7e187b1d83dbfa7edece280f2
SHA5128d29de043da9c5cb6e08694d15bca6cb9591da41b7d20a60db579bfd160c9e4394d530a26fd523c5ce777c0340f59962878602125a5a9841830991d475161fcd