Analysis
-
max time kernel
144s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 10:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe
-
Size
195KB
-
MD5
ef9de89214c6f038136bf5cb414af879
-
SHA1
be522254b5af0d514ed54f896bfc1b824531e9d0
-
SHA256
9141333a7c5355eda35613bf0487fe46ae41fe5f30c4850aabdedb66836ef83a
-
SHA512
6fd3a58dddac241ae174d7604d0b6d102c9ab4726968c67db1ca437afad43ac9f1aab5436011685b5208d86dd83ffa07f8e1e2e31849a5cccb6c2939ba381c5f
-
SSDEEP
3072:d24Kn1kPaKZ/5+LepB2r+qL+tJToNoYxvIKMZNYOC7hnRRT6d:j+kPaKZ7urlL+3oJ5IKOap71D6d
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation igfxwp32.exe -
Deletes itself 1 IoCs
pid Process 4732 igfxwp32.exe -
Executes dropped EXE 29 IoCs
pid Process 1752 igfxwp32.exe 4732 igfxwp32.exe 5084 igfxwp32.exe 4468 igfxwp32.exe 2844 igfxwp32.exe 4820 igfxwp32.exe 1008 igfxwp32.exe 692 igfxwp32.exe 3480 igfxwp32.exe 1556 igfxwp32.exe 1408 igfxwp32.exe 2084 igfxwp32.exe 4232 igfxwp32.exe 3108 igfxwp32.exe 2360 igfxwp32.exe 5040 igfxwp32.exe 3712 igfxwp32.exe 4824 igfxwp32.exe 3920 igfxwp32.exe 556 igfxwp32.exe 768 igfxwp32.exe 4208 igfxwp32.exe 4692 igfxwp32.exe 1036 igfxwp32.exe 2400 igfxwp32.exe 5100 igfxwp32.exe 1920 igfxwp32.exe 880 igfxwp32.exe 2988 igfxwp32.exe -
resource yara_rule behavioral2/memory/2900-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2900-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2900-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2900-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2900-40-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4732-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4732-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4468-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4820-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/692-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1556-78-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2084-85-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3108-93-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5040-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4824-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/556-115-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4208-122-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1036-132-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5100-141-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/880-149-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwp32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwp32.exe ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File created C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe File opened for modification C:\Windows\SysWOW64\ igfxwp32.exe File opened for modification C:\Windows\SysWOW64\igfxwp32.exe igfxwp32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 3268 set thread context of 2900 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 89 PID 1752 set thread context of 4732 1752 igfxwp32.exe 93 PID 5084 set thread context of 4468 5084 igfxwp32.exe 95 PID 2844 set thread context of 4820 2844 igfxwp32.exe 99 PID 1008 set thread context of 692 1008 igfxwp32.exe 101 PID 3480 set thread context of 1556 3480 igfxwp32.exe 103 PID 1408 set thread context of 2084 1408 igfxwp32.exe 105 PID 4232 set thread context of 3108 4232 igfxwp32.exe 107 PID 2360 set thread context of 5040 2360 igfxwp32.exe 109 PID 3712 set thread context of 4824 3712 igfxwp32.exe 111 PID 3920 set thread context of 556 3920 igfxwp32.exe 113 PID 768 set thread context of 4208 768 igfxwp32.exe 115 PID 4692 set thread context of 1036 4692 igfxwp32.exe 117 PID 2400 set thread context of 5100 2400 igfxwp32.exe 119 PID 1920 set thread context of 880 1920 igfxwp32.exe 121 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwp32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwp32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 2900 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 2900 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 2900 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 2900 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 1752 igfxwp32.exe 1752 igfxwp32.exe 4732 igfxwp32.exe 4732 igfxwp32.exe 4732 igfxwp32.exe 4732 igfxwp32.exe 5084 igfxwp32.exe 5084 igfxwp32.exe 4468 igfxwp32.exe 4468 igfxwp32.exe 4468 igfxwp32.exe 4468 igfxwp32.exe 2844 igfxwp32.exe 2844 igfxwp32.exe 4820 igfxwp32.exe 4820 igfxwp32.exe 4820 igfxwp32.exe 4820 igfxwp32.exe 1008 igfxwp32.exe 1008 igfxwp32.exe 692 igfxwp32.exe 692 igfxwp32.exe 692 igfxwp32.exe 692 igfxwp32.exe 3480 igfxwp32.exe 3480 igfxwp32.exe 1556 igfxwp32.exe 1556 igfxwp32.exe 1556 igfxwp32.exe 1556 igfxwp32.exe 1408 igfxwp32.exe 1408 igfxwp32.exe 2084 igfxwp32.exe 2084 igfxwp32.exe 2084 igfxwp32.exe 2084 igfxwp32.exe 4232 igfxwp32.exe 4232 igfxwp32.exe 3108 igfxwp32.exe 3108 igfxwp32.exe 3108 igfxwp32.exe 3108 igfxwp32.exe 2360 igfxwp32.exe 2360 igfxwp32.exe 5040 igfxwp32.exe 5040 igfxwp32.exe 5040 igfxwp32.exe 5040 igfxwp32.exe 3712 igfxwp32.exe 3712 igfxwp32.exe 4824 igfxwp32.exe 4824 igfxwp32.exe 4824 igfxwp32.exe 4824 igfxwp32.exe 3920 igfxwp32.exe 3920 igfxwp32.exe 556 igfxwp32.exe 556 igfxwp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3268 wrote to memory of 2900 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 89 PID 3268 wrote to memory of 2900 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 89 PID 3268 wrote to memory of 2900 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 89 PID 3268 wrote to memory of 2900 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 89 PID 3268 wrote to memory of 2900 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 89 PID 3268 wrote to memory of 2900 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 89 PID 3268 wrote to memory of 2900 3268 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 89 PID 2900 wrote to memory of 1752 2900 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 90 PID 2900 wrote to memory of 1752 2900 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 90 PID 2900 wrote to memory of 1752 2900 ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe 90 PID 1752 wrote to memory of 4732 1752 igfxwp32.exe 93 PID 1752 wrote to memory of 4732 1752 igfxwp32.exe 93 PID 1752 wrote to memory of 4732 1752 igfxwp32.exe 93 PID 1752 wrote to memory of 4732 1752 igfxwp32.exe 93 PID 1752 wrote to memory of 4732 1752 igfxwp32.exe 93 PID 1752 wrote to memory of 4732 1752 igfxwp32.exe 93 PID 1752 wrote to memory of 4732 1752 igfxwp32.exe 93 PID 4732 wrote to memory of 5084 4732 igfxwp32.exe 94 PID 4732 wrote to memory of 5084 4732 igfxwp32.exe 94 PID 4732 wrote to memory of 5084 4732 igfxwp32.exe 94 PID 5084 wrote to memory of 4468 5084 igfxwp32.exe 95 PID 5084 wrote to memory of 4468 5084 igfxwp32.exe 95 PID 5084 wrote to memory of 4468 5084 igfxwp32.exe 95 PID 5084 wrote to memory of 4468 5084 igfxwp32.exe 95 PID 5084 wrote to memory of 4468 5084 igfxwp32.exe 95 PID 5084 wrote to memory of 4468 5084 igfxwp32.exe 95 PID 5084 wrote to memory of 4468 5084 igfxwp32.exe 95 PID 4468 wrote to memory of 2844 4468 igfxwp32.exe 97 PID 4468 wrote to memory of 2844 4468 igfxwp32.exe 97 PID 4468 wrote to memory of 2844 4468 igfxwp32.exe 97 PID 2844 wrote to memory of 4820 2844 igfxwp32.exe 99 PID 2844 wrote to memory of 4820 2844 igfxwp32.exe 99 PID 2844 wrote to memory of 4820 2844 igfxwp32.exe 99 PID 2844 wrote to memory of 4820 2844 igfxwp32.exe 99 PID 2844 wrote to memory of 4820 2844 igfxwp32.exe 99 PID 2844 wrote to memory of 4820 2844 igfxwp32.exe 99 PID 2844 wrote to memory of 4820 2844 igfxwp32.exe 99 PID 4820 wrote to memory of 1008 4820 igfxwp32.exe 100 PID 4820 wrote to memory of 1008 4820 igfxwp32.exe 100 PID 4820 wrote to memory of 1008 4820 igfxwp32.exe 100 PID 1008 wrote to memory of 692 1008 igfxwp32.exe 101 PID 1008 wrote to memory of 692 1008 igfxwp32.exe 101 PID 1008 wrote to memory of 692 1008 igfxwp32.exe 101 PID 1008 wrote to memory of 692 1008 igfxwp32.exe 101 PID 1008 wrote to memory of 692 1008 igfxwp32.exe 101 PID 1008 wrote to memory of 692 1008 igfxwp32.exe 101 PID 1008 wrote to memory of 692 1008 igfxwp32.exe 101 PID 692 wrote to memory of 3480 692 igfxwp32.exe 102 PID 692 wrote to memory of 3480 692 igfxwp32.exe 102 PID 692 wrote to memory of 3480 692 igfxwp32.exe 102 PID 3480 wrote to memory of 1556 3480 igfxwp32.exe 103 PID 3480 wrote to memory of 1556 3480 igfxwp32.exe 103 PID 3480 wrote to memory of 1556 3480 igfxwp32.exe 103 PID 3480 wrote to memory of 1556 3480 igfxwp32.exe 103 PID 3480 wrote to memory of 1556 3480 igfxwp32.exe 103 PID 3480 wrote to memory of 1556 3480 igfxwp32.exe 103 PID 3480 wrote to memory of 1556 3480 igfxwp32.exe 103 PID 1556 wrote to memory of 1408 1556 igfxwp32.exe 104 PID 1556 wrote to memory of 1408 1556 igfxwp32.exe 104 PID 1556 wrote to memory of 1408 1556 igfxwp32.exe 104 PID 1408 wrote to memory of 2084 1408 igfxwp32.exe 105 PID 1408 wrote to memory of 2084 1408 igfxwp32.exe 105 PID 1408 wrote to memory of 2084 1408 igfxwp32.exe 105 PID 1408 wrote to memory of 2084 1408 igfxwp32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef9de89214c6f038136bf5cb414af879_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\EF9DE8~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\EF9DE8~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4232 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3108 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2360 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5040 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3712 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4824 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3920 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:556 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\igfxwp32.exe"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe31⤵
- Executes dropped EXE
PID:2988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD5ef9de89214c6f038136bf5cb414af879
SHA1be522254b5af0d514ed54f896bfc1b824531e9d0
SHA2569141333a7c5355eda35613bf0487fe46ae41fe5f30c4850aabdedb66836ef83a
SHA5126fd3a58dddac241ae174d7604d0b6d102c9ab4726968c67db1ca437afad43ac9f1aab5436011685b5208d86dd83ffa07f8e1e2e31849a5cccb6c2939ba381c5f