Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 06:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe
-
Size
212KB
-
MD5
ef3d6f4bd62f84db332e1d0fbdbb4537
-
SHA1
543f4273a69641ebd51d2a0f0bf763f25bb2abe3
-
SHA256
62d8e098de999619b1398b6b676d5ab3b2e8bda7e187b1d83dbfa7edece280f2
-
SHA512
8d29de043da9c5cb6e08694d15bca6cb9591da41b7d20a60db579bfd160c9e4394d530a26fd523c5ce777c0340f59962878602125a5a9841830991d475161fcd
-
SSDEEP
6144:9bAKuUtGfJeurOpVvJ88UzeWs4G+nL1a5:9bAKu2rTvy8U44Gqs
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation igfxwf32.exe -
Deletes itself 1 IoCs
pid Process 1936 igfxwf32.exe -
Executes dropped EXE 28 IoCs
pid Process 2872 igfxwf32.exe 1936 igfxwf32.exe 1216 igfxwf32.exe 452 igfxwf32.exe 652 igfxwf32.exe 4588 igfxwf32.exe 3228 igfxwf32.exe 992 igfxwf32.exe 1736 igfxwf32.exe 372 igfxwf32.exe 3628 igfxwf32.exe 636 igfxwf32.exe 4928 igfxwf32.exe 4284 igfxwf32.exe 3888 igfxwf32.exe 3404 igfxwf32.exe 4584 igfxwf32.exe 212 igfxwf32.exe 5108 igfxwf32.exe 4876 igfxwf32.exe 2780 igfxwf32.exe 4244 igfxwf32.exe 2588 igfxwf32.exe 624 igfxwf32.exe 2204 igfxwf32.exe 1688 igfxwf32.exe 652 igfxwf32.exe 2160 igfxwf32.exe -
resource yara_rule behavioral2/memory/1752-0-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1752-2-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1752-3-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1752-4-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1752-38-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1936-43-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1936-44-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1936-45-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1936-46-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/452-51-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/452-52-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/452-56-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4588-62-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/992-69-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/372-76-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/636-82-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4284-91-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/3404-98-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/212-106-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4876-112-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/4244-120-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/624-129-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/1688-137-0x0000000000400000-0x0000000000467000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwf32.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe File created C:\Windows\SysWOW64\igfxwf32.exe igfxwf32.exe File opened for modification C:\Windows\SysWOW64\ igfxwf32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 3400 set thread context of 1752 3400 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 87 PID 2872 set thread context of 1936 2872 igfxwf32.exe 91 PID 1216 set thread context of 452 1216 igfxwf32.exe 93 PID 652 set thread context of 4588 652 igfxwf32.exe 97 PID 3228 set thread context of 992 3228 igfxwf32.exe 99 PID 1736 set thread context of 372 1736 igfxwf32.exe 101 PID 3628 set thread context of 636 3628 igfxwf32.exe 103 PID 4928 set thread context of 4284 4928 igfxwf32.exe 105 PID 3888 set thread context of 3404 3888 igfxwf32.exe 107 PID 4584 set thread context of 212 4584 igfxwf32.exe 109 PID 5108 set thread context of 4876 5108 igfxwf32.exe 111 PID 2780 set thread context of 4244 2780 igfxwf32.exe 113 PID 2588 set thread context of 624 2588 igfxwf32.exe 115 PID 2204 set thread context of 1688 2204 igfxwf32.exe 117 PID 652 set thread context of 2160 652 igfxwf32.exe 119 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwf32.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwf32.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1752 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 1752 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 1752 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 1752 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 1936 igfxwf32.exe 1936 igfxwf32.exe 1936 igfxwf32.exe 1936 igfxwf32.exe 452 igfxwf32.exe 452 igfxwf32.exe 452 igfxwf32.exe 452 igfxwf32.exe 4588 igfxwf32.exe 4588 igfxwf32.exe 4588 igfxwf32.exe 4588 igfxwf32.exe 992 igfxwf32.exe 992 igfxwf32.exe 992 igfxwf32.exe 992 igfxwf32.exe 372 igfxwf32.exe 372 igfxwf32.exe 372 igfxwf32.exe 372 igfxwf32.exe 636 igfxwf32.exe 636 igfxwf32.exe 636 igfxwf32.exe 636 igfxwf32.exe 4284 igfxwf32.exe 4284 igfxwf32.exe 4284 igfxwf32.exe 4284 igfxwf32.exe 3404 igfxwf32.exe 3404 igfxwf32.exe 3404 igfxwf32.exe 3404 igfxwf32.exe 212 igfxwf32.exe 212 igfxwf32.exe 212 igfxwf32.exe 212 igfxwf32.exe 4876 igfxwf32.exe 4876 igfxwf32.exe 4876 igfxwf32.exe 4876 igfxwf32.exe 4244 igfxwf32.exe 4244 igfxwf32.exe 4244 igfxwf32.exe 4244 igfxwf32.exe 624 igfxwf32.exe 624 igfxwf32.exe 624 igfxwf32.exe 624 igfxwf32.exe 1688 igfxwf32.exe 1688 igfxwf32.exe 1688 igfxwf32.exe 1688 igfxwf32.exe 2160 igfxwf32.exe 2160 igfxwf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3400 wrote to memory of 1752 3400 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 87 PID 3400 wrote to memory of 1752 3400 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 87 PID 3400 wrote to memory of 1752 3400 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 87 PID 3400 wrote to memory of 1752 3400 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 87 PID 3400 wrote to memory of 1752 3400 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 87 PID 3400 wrote to memory of 1752 3400 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 87 PID 3400 wrote to memory of 1752 3400 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 87 PID 1752 wrote to memory of 2872 1752 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 90 PID 1752 wrote to memory of 2872 1752 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 90 PID 1752 wrote to memory of 2872 1752 ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe 90 PID 2872 wrote to memory of 1936 2872 igfxwf32.exe 91 PID 2872 wrote to memory of 1936 2872 igfxwf32.exe 91 PID 2872 wrote to memory of 1936 2872 igfxwf32.exe 91 PID 2872 wrote to memory of 1936 2872 igfxwf32.exe 91 PID 2872 wrote to memory of 1936 2872 igfxwf32.exe 91 PID 2872 wrote to memory of 1936 2872 igfxwf32.exe 91 PID 2872 wrote to memory of 1936 2872 igfxwf32.exe 91 PID 1936 wrote to memory of 1216 1936 igfxwf32.exe 92 PID 1936 wrote to memory of 1216 1936 igfxwf32.exe 92 PID 1936 wrote to memory of 1216 1936 igfxwf32.exe 92 PID 1216 wrote to memory of 452 1216 igfxwf32.exe 93 PID 1216 wrote to memory of 452 1216 igfxwf32.exe 93 PID 1216 wrote to memory of 452 1216 igfxwf32.exe 93 PID 1216 wrote to memory of 452 1216 igfxwf32.exe 93 PID 1216 wrote to memory of 452 1216 igfxwf32.exe 93 PID 1216 wrote to memory of 452 1216 igfxwf32.exe 93 PID 1216 wrote to memory of 452 1216 igfxwf32.exe 93 PID 452 wrote to memory of 652 452 igfxwf32.exe 95 PID 452 wrote to memory of 652 452 igfxwf32.exe 95 PID 452 wrote to memory of 652 452 igfxwf32.exe 95 PID 652 wrote to memory of 4588 652 igfxwf32.exe 97 PID 652 wrote to memory of 4588 652 igfxwf32.exe 97 PID 652 wrote to memory of 4588 652 igfxwf32.exe 97 PID 652 wrote to memory of 4588 652 igfxwf32.exe 97 PID 652 wrote to memory of 4588 652 igfxwf32.exe 97 PID 652 wrote to memory of 4588 652 igfxwf32.exe 97 PID 652 wrote to memory of 4588 652 igfxwf32.exe 97 PID 4588 wrote to memory of 3228 4588 igfxwf32.exe 98 PID 4588 wrote to memory of 3228 4588 igfxwf32.exe 98 PID 4588 wrote to memory of 3228 4588 igfxwf32.exe 98 PID 3228 wrote to memory of 992 3228 igfxwf32.exe 99 PID 3228 wrote to memory of 992 3228 igfxwf32.exe 99 PID 3228 wrote to memory of 992 3228 igfxwf32.exe 99 PID 3228 wrote to memory of 992 3228 igfxwf32.exe 99 PID 3228 wrote to memory of 992 3228 igfxwf32.exe 99 PID 3228 wrote to memory of 992 3228 igfxwf32.exe 99 PID 3228 wrote to memory of 992 3228 igfxwf32.exe 99 PID 992 wrote to memory of 1736 992 igfxwf32.exe 100 PID 992 wrote to memory of 1736 992 igfxwf32.exe 100 PID 992 wrote to memory of 1736 992 igfxwf32.exe 100 PID 1736 wrote to memory of 372 1736 igfxwf32.exe 101 PID 1736 wrote to memory of 372 1736 igfxwf32.exe 101 PID 1736 wrote to memory of 372 1736 igfxwf32.exe 101 PID 1736 wrote to memory of 372 1736 igfxwf32.exe 101 PID 1736 wrote to memory of 372 1736 igfxwf32.exe 101 PID 1736 wrote to memory of 372 1736 igfxwf32.exe 101 PID 1736 wrote to memory of 372 1736 igfxwf32.exe 101 PID 372 wrote to memory of 3628 372 igfxwf32.exe 102 PID 372 wrote to memory of 3628 372 igfxwf32.exe 102 PID 372 wrote to memory of 3628 372 igfxwf32.exe 102 PID 3628 wrote to memory of 636 3628 igfxwf32.exe 103 PID 3628 wrote to memory of 636 3628 igfxwf32.exe 103 PID 3628 wrote to memory of 636 3628 igfxwf32.exe 103 PID 3628 wrote to memory of 636 3628 igfxwf32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef3d6f4bd62f84db332e1d0fbdbb4537_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Users\Admin\AppData\Local\Temp\EF3D6F~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Users\Admin\AppData\Local\Temp\EF3D6F~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:636 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4284 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3404 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:212 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4244 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:624 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1688 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:652 -
C:\Windows\SysWOW64\igfxwf32.exe"C:\Windows\system32\igfxwf32.exe" C:\Windows\SysWOW64\igfxwf32.exe30⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5ef3d6f4bd62f84db332e1d0fbdbb4537
SHA1543f4273a69641ebd51d2a0f0bf763f25bb2abe3
SHA25662d8e098de999619b1398b6b676d5ab3b2e8bda7e187b1d83dbfa7edece280f2
SHA5128d29de043da9c5cb6e08694d15bca6cb9591da41b7d20a60db579bfd160c9e4394d530a26fd523c5ce777c0340f59962878602125a5a9841830991d475161fcd