Analysis
-
max time kernel
144s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 01:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe
-
Size
168KB
-
MD5
f747007de3cb01e70c1170572951cecc
-
SHA1
6f683e1b46bb7aa6cf4939d02fc2a8d0b2411fe5
-
SHA256
5b3e37227741161c58a39386fc7d48013ad2d4a43b3826f1cc35d2bb40e0b44c
-
SHA512
d1ce4370a17b1904188846e25b13487762e1228b99e312371aaf0144f87c3cb85776d8508c3e7f6b385b2d0a8c64388df0d927bc91e1e7495f3679d96c37f95a
-
SSDEEP
3072:dIM4k11DfZS5sXm7mgD1Z+cqw6/BiuDVH3rO20ME4p80OhKdC:aG11Df/XomgT+a6/B/Zsd0goC
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation igfxwk32.exe -
Deletes itself 1 IoCs
pid Process 2940 igfxwk32.exe -
Executes dropped EXE 29 IoCs
pid Process 4432 igfxwk32.exe 2940 igfxwk32.exe 776 igfxwk32.exe 3888 igfxwk32.exe 2740 igfxwk32.exe 4752 igfxwk32.exe 3208 igfxwk32.exe 3916 igfxwk32.exe 2764 igfxwk32.exe 1964 igfxwk32.exe 3384 igfxwk32.exe 2908 igfxwk32.exe 3184 igfxwk32.exe 644 igfxwk32.exe 548 igfxwk32.exe 3744 igfxwk32.exe 4716 igfxwk32.exe 4008 igfxwk32.exe 4896 igfxwk32.exe 2260 igfxwk32.exe 4176 igfxwk32.exe 2692 igfxwk32.exe 3220 igfxwk32.exe 948 igfxwk32.exe 4820 igfxwk32.exe 4444 igfxwk32.exe 5044 igfxwk32.exe 2936 igfxwk32.exe 1160 igfxwk32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 3552 set thread context of 4924 3552 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 83 PID 4432 set thread context of 2940 4432 igfxwk32.exe 92 PID 776 set thread context of 3888 776 igfxwk32.exe 94 PID 2740 set thread context of 4752 2740 igfxwk32.exe 98 PID 3208 set thread context of 3916 3208 igfxwk32.exe 100 PID 2764 set thread context of 1964 2764 igfxwk32.exe 102 PID 3384 set thread context of 2908 3384 igfxwk32.exe 104 PID 3184 set thread context of 644 3184 igfxwk32.exe 106 PID 548 set thread context of 3744 548 igfxwk32.exe 108 PID 4716 set thread context of 4008 4716 igfxwk32.exe 110 PID 4896 set thread context of 2260 4896 igfxwk32.exe 112 PID 4176 set thread context of 2692 4176 igfxwk32.exe 114 PID 3220 set thread context of 948 3220 igfxwk32.exe 116 PID 4820 set thread context of 4444 4820 igfxwk32.exe 118 PID 5044 set thread context of 2936 5044 igfxwk32.exe 120 -
resource yara_rule behavioral2/memory/4924-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4924-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4924-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4924-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4924-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2940-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2940-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2940-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2940-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3888-56-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4752-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3916-70-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1964-78-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2908-85-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/644-94-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3744-101-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4008-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2260-116-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2692-123-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/948-133-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4444-141-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2936-150-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwk32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4924 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 4924 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 4924 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 4924 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 2940 igfxwk32.exe 2940 igfxwk32.exe 2940 igfxwk32.exe 2940 igfxwk32.exe 3888 igfxwk32.exe 3888 igfxwk32.exe 3888 igfxwk32.exe 3888 igfxwk32.exe 4752 igfxwk32.exe 4752 igfxwk32.exe 4752 igfxwk32.exe 4752 igfxwk32.exe 3916 igfxwk32.exe 3916 igfxwk32.exe 3916 igfxwk32.exe 3916 igfxwk32.exe 1964 igfxwk32.exe 1964 igfxwk32.exe 1964 igfxwk32.exe 1964 igfxwk32.exe 2908 igfxwk32.exe 2908 igfxwk32.exe 2908 igfxwk32.exe 2908 igfxwk32.exe 644 igfxwk32.exe 644 igfxwk32.exe 644 igfxwk32.exe 644 igfxwk32.exe 3744 igfxwk32.exe 3744 igfxwk32.exe 3744 igfxwk32.exe 3744 igfxwk32.exe 4008 igfxwk32.exe 4008 igfxwk32.exe 4008 igfxwk32.exe 4008 igfxwk32.exe 2260 igfxwk32.exe 2260 igfxwk32.exe 2260 igfxwk32.exe 2260 igfxwk32.exe 2692 igfxwk32.exe 2692 igfxwk32.exe 2692 igfxwk32.exe 2692 igfxwk32.exe 948 igfxwk32.exe 948 igfxwk32.exe 948 igfxwk32.exe 948 igfxwk32.exe 4444 igfxwk32.exe 4444 igfxwk32.exe 4444 igfxwk32.exe 4444 igfxwk32.exe 2936 igfxwk32.exe 2936 igfxwk32.exe 2936 igfxwk32.exe 2936 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3552 wrote to memory of 4924 3552 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 83 PID 3552 wrote to memory of 4924 3552 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 83 PID 3552 wrote to memory of 4924 3552 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 83 PID 3552 wrote to memory of 4924 3552 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 83 PID 3552 wrote to memory of 4924 3552 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 83 PID 3552 wrote to memory of 4924 3552 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 83 PID 3552 wrote to memory of 4924 3552 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 83 PID 4924 wrote to memory of 4432 4924 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 87 PID 4924 wrote to memory of 4432 4924 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 87 PID 4924 wrote to memory of 4432 4924 f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe 87 PID 4432 wrote to memory of 2940 4432 igfxwk32.exe 92 PID 4432 wrote to memory of 2940 4432 igfxwk32.exe 92 PID 4432 wrote to memory of 2940 4432 igfxwk32.exe 92 PID 4432 wrote to memory of 2940 4432 igfxwk32.exe 92 PID 4432 wrote to memory of 2940 4432 igfxwk32.exe 92 PID 4432 wrote to memory of 2940 4432 igfxwk32.exe 92 PID 4432 wrote to memory of 2940 4432 igfxwk32.exe 92 PID 2940 wrote to memory of 776 2940 igfxwk32.exe 93 PID 2940 wrote to memory of 776 2940 igfxwk32.exe 93 PID 2940 wrote to memory of 776 2940 igfxwk32.exe 93 PID 776 wrote to memory of 3888 776 igfxwk32.exe 94 PID 776 wrote to memory of 3888 776 igfxwk32.exe 94 PID 776 wrote to memory of 3888 776 igfxwk32.exe 94 PID 776 wrote to memory of 3888 776 igfxwk32.exe 94 PID 776 wrote to memory of 3888 776 igfxwk32.exe 94 PID 776 wrote to memory of 3888 776 igfxwk32.exe 94 PID 776 wrote to memory of 3888 776 igfxwk32.exe 94 PID 3888 wrote to memory of 2740 3888 igfxwk32.exe 96 PID 3888 wrote to memory of 2740 3888 igfxwk32.exe 96 PID 3888 wrote to memory of 2740 3888 igfxwk32.exe 96 PID 2740 wrote to memory of 4752 2740 igfxwk32.exe 98 PID 2740 wrote to memory of 4752 2740 igfxwk32.exe 98 PID 2740 wrote to memory of 4752 2740 igfxwk32.exe 98 PID 2740 wrote to memory of 4752 2740 igfxwk32.exe 98 PID 2740 wrote to memory of 4752 2740 igfxwk32.exe 98 PID 2740 wrote to memory of 4752 2740 igfxwk32.exe 98 PID 2740 wrote to memory of 4752 2740 igfxwk32.exe 98 PID 4752 wrote to memory of 3208 4752 igfxwk32.exe 99 PID 4752 wrote to memory of 3208 4752 igfxwk32.exe 99 PID 4752 wrote to memory of 3208 4752 igfxwk32.exe 99 PID 3208 wrote to memory of 3916 3208 igfxwk32.exe 100 PID 3208 wrote to memory of 3916 3208 igfxwk32.exe 100 PID 3208 wrote to memory of 3916 3208 igfxwk32.exe 100 PID 3208 wrote to memory of 3916 3208 igfxwk32.exe 100 PID 3208 wrote to memory of 3916 3208 igfxwk32.exe 100 PID 3208 wrote to memory of 3916 3208 igfxwk32.exe 100 PID 3208 wrote to memory of 3916 3208 igfxwk32.exe 100 PID 3916 wrote to memory of 2764 3916 igfxwk32.exe 101 PID 3916 wrote to memory of 2764 3916 igfxwk32.exe 101 PID 3916 wrote to memory of 2764 3916 igfxwk32.exe 101 PID 2764 wrote to memory of 1964 2764 igfxwk32.exe 102 PID 2764 wrote to memory of 1964 2764 igfxwk32.exe 102 PID 2764 wrote to memory of 1964 2764 igfxwk32.exe 102 PID 2764 wrote to memory of 1964 2764 igfxwk32.exe 102 PID 2764 wrote to memory of 1964 2764 igfxwk32.exe 102 PID 2764 wrote to memory of 1964 2764 igfxwk32.exe 102 PID 2764 wrote to memory of 1964 2764 igfxwk32.exe 102 PID 1964 wrote to memory of 3384 1964 igfxwk32.exe 103 PID 1964 wrote to memory of 3384 1964 igfxwk32.exe 103 PID 1964 wrote to memory of 3384 1964 igfxwk32.exe 103 PID 3384 wrote to memory of 2908 3384 igfxwk32.exe 104 PID 3384 wrote to memory of 2908 3384 igfxwk32.exe 104 PID 3384 wrote to memory of 2908 3384 igfxwk32.exe 104 PID 3384 wrote to memory of 2908 3384 igfxwk32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f747007de3cb01e70c1170572951cecc_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\F74700~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\F74700~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:644 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3744 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4008 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2260 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4176 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2692 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:948 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4444 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
PID:1160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f747007de3cb01e70c1170572951cecc
SHA16f683e1b46bb7aa6cf4939d02fc2a8d0b2411fe5
SHA2565b3e37227741161c58a39386fc7d48013ad2d4a43b3826f1cc35d2bb40e0b44c
SHA512d1ce4370a17b1904188846e25b13487762e1228b99e312371aaf0144f87c3cb85776d8508c3e7f6b385b2d0a8c64388df0d927bc91e1e7495f3679d96c37f95a