Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 08:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe
-
Size
168KB
-
MD5
ef687378b284cacb06528aa6fc23b523
-
SHA1
0d15d41b0b18301beaede43c7d700cf8d72a6e0d
-
SHA256
0288588d2d906a7875565e96f81b14c86b81e63e106cacae9fbfc47c310c22cc
-
SHA512
655cd31f66abfdffceb9624fda258cc86393c99a4cdd22693e35f9e6ae07d7bda805e235cd14f5e21227eb9959aa3490e5aed1618e4a6901c245f2f626929f1c
-
SSDEEP
3072:u6ODXSCl5XCqPpdKdnq2bqv/vUq/bBSRWkHdADOGM8kee+WJEY7X:iSNqKg2bqv/vUCkR9HdADIx7X
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation igfxwk32.exe -
Deletes itself 1 IoCs
pid Process 2888 igfxwk32.exe -
Executes dropped EXE 29 IoCs
pid Process 3280 igfxwk32.exe 2888 igfxwk32.exe 2092 igfxwk32.exe 928 igfxwk32.exe 1144 igfxwk32.exe 1248 igfxwk32.exe 4940 igfxwk32.exe 2136 igfxwk32.exe 4644 igfxwk32.exe 776 igfxwk32.exe 4636 igfxwk32.exe 3840 igfxwk32.exe 4088 igfxwk32.exe 1572 igfxwk32.exe 1192 igfxwk32.exe 3604 igfxwk32.exe 3716 igfxwk32.exe 4396 igfxwk32.exe 2980 igfxwk32.exe 4556 igfxwk32.exe 3436 igfxwk32.exe 3396 igfxwk32.exe 944 igfxwk32.exe 2924 igfxwk32.exe 3256 igfxwk32.exe 3484 igfxwk32.exe 4972 igfxwk32.exe 1528 igfxwk32.exe 2516 igfxwk32.exe -
resource yara_rule behavioral2/memory/2176-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2176-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2176-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2176-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2176-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2888-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2888-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2888-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2888-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/928-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1248-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2136-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/776-76-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3840-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1572-92-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3604-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4396-106-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4556-113-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3396-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2924-129-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3484-137-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1528-146-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 512 set thread context of 2176 512 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 86 PID 3280 set thread context of 2888 3280 igfxwk32.exe 91 PID 2092 set thread context of 928 2092 igfxwk32.exe 93 PID 1144 set thread context of 1248 1144 igfxwk32.exe 97 PID 4940 set thread context of 2136 4940 igfxwk32.exe 99 PID 4644 set thread context of 776 4644 igfxwk32.exe 101 PID 4636 set thread context of 3840 4636 igfxwk32.exe 103 PID 4088 set thread context of 1572 4088 igfxwk32.exe 105 PID 1192 set thread context of 3604 1192 igfxwk32.exe 107 PID 3716 set thread context of 4396 3716 igfxwk32.exe 109 PID 2980 set thread context of 4556 2980 igfxwk32.exe 111 PID 3436 set thread context of 3396 3436 igfxwk32.exe 113 PID 944 set thread context of 2924 944 igfxwk32.exe 115 PID 3256 set thread context of 3484 3256 igfxwk32.exe 117 PID 4972 set thread context of 1528 4972 igfxwk32.exe 119 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 2176 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 2176 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 2176 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 2176 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 2888 igfxwk32.exe 2888 igfxwk32.exe 2888 igfxwk32.exe 2888 igfxwk32.exe 928 igfxwk32.exe 928 igfxwk32.exe 928 igfxwk32.exe 928 igfxwk32.exe 1248 igfxwk32.exe 1248 igfxwk32.exe 1248 igfxwk32.exe 1248 igfxwk32.exe 2136 igfxwk32.exe 2136 igfxwk32.exe 2136 igfxwk32.exe 2136 igfxwk32.exe 776 igfxwk32.exe 776 igfxwk32.exe 776 igfxwk32.exe 776 igfxwk32.exe 3840 igfxwk32.exe 3840 igfxwk32.exe 3840 igfxwk32.exe 3840 igfxwk32.exe 1572 igfxwk32.exe 1572 igfxwk32.exe 1572 igfxwk32.exe 1572 igfxwk32.exe 3604 igfxwk32.exe 3604 igfxwk32.exe 3604 igfxwk32.exe 3604 igfxwk32.exe 4396 igfxwk32.exe 4396 igfxwk32.exe 4396 igfxwk32.exe 4396 igfxwk32.exe 4556 igfxwk32.exe 4556 igfxwk32.exe 4556 igfxwk32.exe 4556 igfxwk32.exe 3396 igfxwk32.exe 3396 igfxwk32.exe 3396 igfxwk32.exe 3396 igfxwk32.exe 2924 igfxwk32.exe 2924 igfxwk32.exe 2924 igfxwk32.exe 2924 igfxwk32.exe 3484 igfxwk32.exe 3484 igfxwk32.exe 3484 igfxwk32.exe 3484 igfxwk32.exe 1528 igfxwk32.exe 1528 igfxwk32.exe 1528 igfxwk32.exe 1528 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 512 wrote to memory of 2176 512 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 86 PID 512 wrote to memory of 2176 512 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 86 PID 512 wrote to memory of 2176 512 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 86 PID 512 wrote to memory of 2176 512 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 86 PID 512 wrote to memory of 2176 512 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 86 PID 512 wrote to memory of 2176 512 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 86 PID 512 wrote to memory of 2176 512 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 86 PID 2176 wrote to memory of 3280 2176 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 88 PID 2176 wrote to memory of 3280 2176 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 88 PID 2176 wrote to memory of 3280 2176 ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe 88 PID 3280 wrote to memory of 2888 3280 igfxwk32.exe 91 PID 3280 wrote to memory of 2888 3280 igfxwk32.exe 91 PID 3280 wrote to memory of 2888 3280 igfxwk32.exe 91 PID 3280 wrote to memory of 2888 3280 igfxwk32.exe 91 PID 3280 wrote to memory of 2888 3280 igfxwk32.exe 91 PID 3280 wrote to memory of 2888 3280 igfxwk32.exe 91 PID 3280 wrote to memory of 2888 3280 igfxwk32.exe 91 PID 2888 wrote to memory of 2092 2888 igfxwk32.exe 92 PID 2888 wrote to memory of 2092 2888 igfxwk32.exe 92 PID 2888 wrote to memory of 2092 2888 igfxwk32.exe 92 PID 2092 wrote to memory of 928 2092 igfxwk32.exe 93 PID 2092 wrote to memory of 928 2092 igfxwk32.exe 93 PID 2092 wrote to memory of 928 2092 igfxwk32.exe 93 PID 2092 wrote to memory of 928 2092 igfxwk32.exe 93 PID 2092 wrote to memory of 928 2092 igfxwk32.exe 93 PID 2092 wrote to memory of 928 2092 igfxwk32.exe 93 PID 2092 wrote to memory of 928 2092 igfxwk32.exe 93 PID 928 wrote to memory of 1144 928 igfxwk32.exe 95 PID 928 wrote to memory of 1144 928 igfxwk32.exe 95 PID 928 wrote to memory of 1144 928 igfxwk32.exe 95 PID 1144 wrote to memory of 1248 1144 igfxwk32.exe 97 PID 1144 wrote to memory of 1248 1144 igfxwk32.exe 97 PID 1144 wrote to memory of 1248 1144 igfxwk32.exe 97 PID 1144 wrote to memory of 1248 1144 igfxwk32.exe 97 PID 1144 wrote to memory of 1248 1144 igfxwk32.exe 97 PID 1144 wrote to memory of 1248 1144 igfxwk32.exe 97 PID 1144 wrote to memory of 1248 1144 igfxwk32.exe 97 PID 1248 wrote to memory of 4940 1248 igfxwk32.exe 98 PID 1248 wrote to memory of 4940 1248 igfxwk32.exe 98 PID 1248 wrote to memory of 4940 1248 igfxwk32.exe 98 PID 4940 wrote to memory of 2136 4940 igfxwk32.exe 99 PID 4940 wrote to memory of 2136 4940 igfxwk32.exe 99 PID 4940 wrote to memory of 2136 4940 igfxwk32.exe 99 PID 4940 wrote to memory of 2136 4940 igfxwk32.exe 99 PID 4940 wrote to memory of 2136 4940 igfxwk32.exe 99 PID 4940 wrote to memory of 2136 4940 igfxwk32.exe 99 PID 4940 wrote to memory of 2136 4940 igfxwk32.exe 99 PID 2136 wrote to memory of 4644 2136 igfxwk32.exe 100 PID 2136 wrote to memory of 4644 2136 igfxwk32.exe 100 PID 2136 wrote to memory of 4644 2136 igfxwk32.exe 100 PID 4644 wrote to memory of 776 4644 igfxwk32.exe 101 PID 4644 wrote to memory of 776 4644 igfxwk32.exe 101 PID 4644 wrote to memory of 776 4644 igfxwk32.exe 101 PID 4644 wrote to memory of 776 4644 igfxwk32.exe 101 PID 4644 wrote to memory of 776 4644 igfxwk32.exe 101 PID 4644 wrote to memory of 776 4644 igfxwk32.exe 101 PID 4644 wrote to memory of 776 4644 igfxwk32.exe 101 PID 776 wrote to memory of 4636 776 igfxwk32.exe 102 PID 776 wrote to memory of 4636 776 igfxwk32.exe 102 PID 776 wrote to memory of 4636 776 igfxwk32.exe 102 PID 4636 wrote to memory of 3840 4636 igfxwk32.exe 103 PID 4636 wrote to memory of 3840 4636 igfxwk32.exe 103 PID 4636 wrote to memory of 3840 4636 igfxwk32.exe 103 PID 4636 wrote to memory of 3840 4636 igfxwk32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Local\Temp\ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef687378b284cacb06528aa6fc23b523_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\EF6873~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\EF6873~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3840 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1572 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3604 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4396 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4556 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3396 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2924 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3256 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3484 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
PID:2516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5ef687378b284cacb06528aa6fc23b523
SHA10d15d41b0b18301beaede43c7d700cf8d72a6e0d
SHA2560288588d2d906a7875565e96f81b14c86b81e63e106cacae9fbfc47c310c22cc
SHA512655cd31f66abfdffceb9624fda258cc86393c99a4cdd22693e35f9e6ae07d7bda805e235cd14f5e21227eb9959aa3490e5aed1618e4a6901c245f2f626929f1c