Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 01:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe
-
Size
168KB
-
MD5
f747007de3cb01e70c1170572951cecc
-
SHA1
6f683e1b46bb7aa6cf4939d02fc2a8d0b2411fe5
-
SHA256
5b3e37227741161c58a39386fc7d48013ad2d4a43b3826f1cc35d2bb40e0b44c
-
SHA512
d1ce4370a17b1904188846e25b13487762e1228b99e312371aaf0144f87c3cb85776d8508c3e7f6b385b2d0a8c64388df0d927bc91e1e7495f3679d96c37f95a
-
SSDEEP
3072:dIM4k11DfZS5sXm7mgD1Z+cqw6/BiuDVH3rO20ME4p80OhKdC:aG11Df/XomgT+a6/B/Zsd0goC
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2660 igfxwk32.exe -
Executes dropped EXE 31 IoCs
pid Process 3064 igfxwk32.exe 2660 igfxwk32.exe 2600 igfxwk32.exe 2604 igfxwk32.exe 2920 igfxwk32.exe 1632 igfxwk32.exe 2348 igfxwk32.exe 1160 igfxwk32.exe 1888 igfxwk32.exe 496 igfxwk32.exe 2828 igfxwk32.exe 2672 igfxwk32.exe 448 igfxwk32.exe 948 igfxwk32.exe 2284 igfxwk32.exe 2768 igfxwk32.exe 2308 igfxwk32.exe 1832 igfxwk32.exe 2248 igfxwk32.exe 2984 igfxwk32.exe 2668 igfxwk32.exe 2548 igfxwk32.exe 2740 igfxwk32.exe 2600 igfxwk32.exe 2612 igfxwk32.exe 1584 igfxwk32.exe 1996 igfxwk32.exe 2348 igfxwk32.exe 1228 igfxwk32.exe 316 igfxwk32.exe 2288 igfxwk32.exe -
Loads dropped DLL 31 IoCs
pid Process 2520 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 3064 igfxwk32.exe 2660 igfxwk32.exe 2600 igfxwk32.exe 2604 igfxwk32.exe 2920 igfxwk32.exe 1632 igfxwk32.exe 2348 igfxwk32.exe 1160 igfxwk32.exe 1888 igfxwk32.exe 496 igfxwk32.exe 2828 igfxwk32.exe 2672 igfxwk32.exe 448 igfxwk32.exe 948 igfxwk32.exe 2284 igfxwk32.exe 2768 igfxwk32.exe 2308 igfxwk32.exe 1832 igfxwk32.exe 2248 igfxwk32.exe 2984 igfxwk32.exe 2668 igfxwk32.exe 2548 igfxwk32.exe 2740 igfxwk32.exe 2600 igfxwk32.exe 2612 igfxwk32.exe 1584 igfxwk32.exe 1996 igfxwk32.exe 2348 igfxwk32.exe 1228 igfxwk32.exe 316 igfxwk32.exe -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2248 set thread context of 2520 2248 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 28 PID 3064 set thread context of 2660 3064 igfxwk32.exe 32 PID 2600 set thread context of 2604 2600 igfxwk32.exe 34 PID 2920 set thread context of 1632 2920 igfxwk32.exe 36 PID 2348 set thread context of 1160 2348 igfxwk32.exe 38 PID 1888 set thread context of 496 1888 igfxwk32.exe 40 PID 2828 set thread context of 2672 2828 igfxwk32.exe 42 PID 448 set thread context of 948 448 igfxwk32.exe 44 PID 2284 set thread context of 2768 2284 igfxwk32.exe 46 PID 2308 set thread context of 1832 2308 igfxwk32.exe 48 PID 2248 set thread context of 2984 2248 igfxwk32.exe 50 PID 2668 set thread context of 2548 2668 igfxwk32.exe 52 PID 2740 set thread context of 2600 2740 igfxwk32.exe 54 PID 2612 set thread context of 1584 2612 igfxwk32.exe 56 PID 1996 set thread context of 2348 1996 igfxwk32.exe 58 PID 1228 set thread context of 316 1228 igfxwk32.exe 60 -
resource yara_rule behavioral1/memory/2520-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2520-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2520-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2520-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2520-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2520-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2520-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2520-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-36-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2604-49-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2604-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2604-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2604-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1632-66-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1632-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1632-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1632-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1160-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1160-88-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/496-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/496-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/496-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/496-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2672-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2672-121-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/948-134-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/948-138-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2768-151-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2768-156-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1832-168-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1832-174-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2984-186-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2984-191-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2548-203-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2548-208-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-220-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-225-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-237-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1584-240-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-249-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-253-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/316-263-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/316-266-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2520 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 2520 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 2660 igfxwk32.exe 2660 igfxwk32.exe 2604 igfxwk32.exe 2604 igfxwk32.exe 1632 igfxwk32.exe 1632 igfxwk32.exe 1160 igfxwk32.exe 1160 igfxwk32.exe 496 igfxwk32.exe 496 igfxwk32.exe 2672 igfxwk32.exe 2672 igfxwk32.exe 948 igfxwk32.exe 948 igfxwk32.exe 2768 igfxwk32.exe 2768 igfxwk32.exe 1832 igfxwk32.exe 1832 igfxwk32.exe 2984 igfxwk32.exe 2984 igfxwk32.exe 2548 igfxwk32.exe 2548 igfxwk32.exe 2600 igfxwk32.exe 2600 igfxwk32.exe 1584 igfxwk32.exe 1584 igfxwk32.exe 2348 igfxwk32.exe 2348 igfxwk32.exe 316 igfxwk32.exe 316 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2520 2248 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2520 2248 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2520 2248 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2520 2248 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2520 2248 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2520 2248 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2520 2248 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 28 PID 2520 wrote to memory of 3064 2520 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 31 PID 2520 wrote to memory of 3064 2520 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 31 PID 2520 wrote to memory of 3064 2520 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 31 PID 2520 wrote to memory of 3064 2520 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2660 3064 igfxwk32.exe 32 PID 3064 wrote to memory of 2660 3064 igfxwk32.exe 32 PID 3064 wrote to memory of 2660 3064 igfxwk32.exe 32 PID 3064 wrote to memory of 2660 3064 igfxwk32.exe 32 PID 3064 wrote to memory of 2660 3064 igfxwk32.exe 32 PID 3064 wrote to memory of 2660 3064 igfxwk32.exe 32 PID 3064 wrote to memory of 2660 3064 igfxwk32.exe 32 PID 2660 wrote to memory of 2600 2660 igfxwk32.exe 33 PID 2660 wrote to memory of 2600 2660 igfxwk32.exe 33 PID 2660 wrote to memory of 2600 2660 igfxwk32.exe 33 PID 2660 wrote to memory of 2600 2660 igfxwk32.exe 33 PID 2600 wrote to memory of 2604 2600 igfxwk32.exe 34 PID 2600 wrote to memory of 2604 2600 igfxwk32.exe 34 PID 2600 wrote to memory of 2604 2600 igfxwk32.exe 34 PID 2600 wrote to memory of 2604 2600 igfxwk32.exe 34 PID 2600 wrote to memory of 2604 2600 igfxwk32.exe 34 PID 2600 wrote to memory of 2604 2600 igfxwk32.exe 34 PID 2600 wrote to memory of 2604 2600 igfxwk32.exe 34 PID 2604 wrote to memory of 2920 2604 igfxwk32.exe 35 PID 2604 wrote to memory of 2920 2604 igfxwk32.exe 35 PID 2604 wrote to memory of 2920 2604 igfxwk32.exe 35 PID 2604 wrote to memory of 2920 2604 igfxwk32.exe 35 PID 2920 wrote to memory of 1632 2920 igfxwk32.exe 36 PID 2920 wrote to memory of 1632 2920 igfxwk32.exe 36 PID 2920 wrote to memory of 1632 2920 igfxwk32.exe 36 PID 2920 wrote to memory of 1632 2920 igfxwk32.exe 36 PID 2920 wrote to memory of 1632 2920 igfxwk32.exe 36 PID 2920 wrote to memory of 1632 2920 igfxwk32.exe 36 PID 2920 wrote to memory of 1632 2920 igfxwk32.exe 36 PID 1632 wrote to memory of 2348 1632 igfxwk32.exe 37 PID 1632 wrote to memory of 2348 1632 igfxwk32.exe 37 PID 1632 wrote to memory of 2348 1632 igfxwk32.exe 37 PID 1632 wrote to memory of 2348 1632 igfxwk32.exe 37 PID 2348 wrote to memory of 1160 2348 igfxwk32.exe 38 PID 2348 wrote to memory of 1160 2348 igfxwk32.exe 38 PID 2348 wrote to memory of 1160 2348 igfxwk32.exe 38 PID 2348 wrote to memory of 1160 2348 igfxwk32.exe 38 PID 2348 wrote to memory of 1160 2348 igfxwk32.exe 38 PID 2348 wrote to memory of 1160 2348 igfxwk32.exe 38 PID 2348 wrote to memory of 1160 2348 igfxwk32.exe 38 PID 1160 wrote to memory of 1888 1160 igfxwk32.exe 39 PID 1160 wrote to memory of 1888 1160 igfxwk32.exe 39 PID 1160 wrote to memory of 1888 1160 igfxwk32.exe 39 PID 1160 wrote to memory of 1888 1160 igfxwk32.exe 39 PID 1888 wrote to memory of 496 1888 igfxwk32.exe 40 PID 1888 wrote to memory of 496 1888 igfxwk32.exe 40 PID 1888 wrote to memory of 496 1888 igfxwk32.exe 40 PID 1888 wrote to memory of 496 1888 igfxwk32.exe 40 PID 1888 wrote to memory of 496 1888 igfxwk32.exe 40 PID 1888 wrote to memory of 496 1888 igfxwk32.exe 40 PID 1888 wrote to memory of 496 1888 igfxwk32.exe 40 PID 496 wrote to memory of 2828 496 igfxwk32.exe 41 PID 496 wrote to memory of 2828 496 igfxwk32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\F74700~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\F74700~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:948 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1832 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2984 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2600 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:316 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe33⤵
- Executes dropped EXE
PID:2288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f747007de3cb01e70c1170572951cecc
SHA16f683e1b46bb7aa6cf4939d02fc2a8d0b2411fe5
SHA2565b3e37227741161c58a39386fc7d48013ad2d4a43b3826f1cc35d2bb40e0b44c
SHA512d1ce4370a17b1904188846e25b13487762e1228b99e312371aaf0144f87c3cb85776d8508c3e7f6b385b2d0a8c64388df0d927bc91e1e7495f3679d96c37f95a