Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe
-
Size
179KB
-
MD5
f7db238e7c083d3cc0b4c482dc6cebea
-
SHA1
3b7e846bb2d6df654a680fc0a56fc9c0ea2c86a5
-
SHA256
7a5ccbef0a7db83971af93eb550fe0e58543a92bc24f791c13363bc683dc545d
-
SHA512
5dbec22963306fd67a8787063ff38b7954934c98d3ff53629e131b67671106b7a9e1807811817408ba990cb70bc0e5e5ca8f077e2c061ebcf80a36b49239c0ad
-
SSDEEP
3072:btOpuhG58eziMhEqj36FGyKnHbESMb8vND5bDZaHkjSq2:3Qzk4KFGyKnHuwvHbVaH42
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2716 igfxwa32.exe -
Executes dropped EXE 30 IoCs
pid Process 2408 igfxwa32.exe 2716 igfxwa32.exe 2864 igfxwa32.exe 2836 igfxwa32.exe 2936 igfxwa32.exe 788 igfxwa32.exe 1680 igfxwa32.exe 300 igfxwa32.exe 1944 igfxwa32.exe 2548 igfxwa32.exe 2840 igfxwa32.exe 2744 igfxwa32.exe 1396 igfxwa32.exe 1756 igfxwa32.exe 1284 igfxwa32.exe 1844 igfxwa32.exe 2996 igfxwa32.exe 868 igfxwa32.exe 2364 igfxwa32.exe 1516 igfxwa32.exe 2592 igfxwa32.exe 2756 igfxwa32.exe 2544 igfxwa32.exe 2980 igfxwa32.exe 1904 igfxwa32.exe 1320 igfxwa32.exe 1948 igfxwa32.exe 484 igfxwa32.exe 2584 igfxwa32.exe 2332 igfxwa32.exe -
Loads dropped DLL 30 IoCs
pid Process 1996 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 2408 igfxwa32.exe 2716 igfxwa32.exe 2864 igfxwa32.exe 2836 igfxwa32.exe 2936 igfxwa32.exe 788 igfxwa32.exe 1680 igfxwa32.exe 300 igfxwa32.exe 1944 igfxwa32.exe 2548 igfxwa32.exe 2840 igfxwa32.exe 2744 igfxwa32.exe 1396 igfxwa32.exe 1756 igfxwa32.exe 1284 igfxwa32.exe 1844 igfxwa32.exe 2996 igfxwa32.exe 868 igfxwa32.exe 2364 igfxwa32.exe 1516 igfxwa32.exe 2592 igfxwa32.exe 2756 igfxwa32.exe 2544 igfxwa32.exe 2980 igfxwa32.exe 1904 igfxwa32.exe 1320 igfxwa32.exe 1948 igfxwa32.exe 484 igfxwa32.exe 2584 igfxwa32.exe -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwa32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwa32.exe f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2572 set thread context of 1996 2572 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 31 PID 2408 set thread context of 2716 2408 igfxwa32.exe 33 PID 2864 set thread context of 2836 2864 igfxwa32.exe 35 PID 2936 set thread context of 788 2936 igfxwa32.exe 37 PID 1680 set thread context of 300 1680 igfxwa32.exe 39 PID 1944 set thread context of 2548 1944 igfxwa32.exe 41 PID 2840 set thread context of 2744 2840 igfxwa32.exe 43 PID 1396 set thread context of 1756 1396 igfxwa32.exe 45 PID 1284 set thread context of 1844 1284 igfxwa32.exe 47 PID 2996 set thread context of 868 2996 igfxwa32.exe 49 PID 2364 set thread context of 1516 2364 igfxwa32.exe 51 PID 2592 set thread context of 2756 2592 igfxwa32.exe 53 PID 2544 set thread context of 2980 2544 igfxwa32.exe 56 PID 1904 set thread context of 1320 1904 igfxwa32.exe 58 PID 1948 set thread context of 484 1948 igfxwa32.exe 60 PID 2584 set thread context of 2332 2584 igfxwa32.exe 62 -
resource yara_rule behavioral1/memory/1996-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1996-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1996-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1996-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1996-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1996-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1996-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1996-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-36-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2836-49-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2836-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/788-66-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/788-72-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/300-84-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/300-89-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2548-101-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2548-107-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2744-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2744-124-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1756-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1756-142-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1844-154-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1844-158-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/868-170-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/868-175-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1516-188-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1516-193-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2756-206-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2756-211-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2980-228-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1320-244-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/484-258-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2332-266-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1996 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 1996 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 2716 igfxwa32.exe 2716 igfxwa32.exe 2836 igfxwa32.exe 2836 igfxwa32.exe 788 igfxwa32.exe 788 igfxwa32.exe 300 igfxwa32.exe 300 igfxwa32.exe 2548 igfxwa32.exe 2548 igfxwa32.exe 2744 igfxwa32.exe 2744 igfxwa32.exe 1756 igfxwa32.exe 1756 igfxwa32.exe 1844 igfxwa32.exe 1844 igfxwa32.exe 868 igfxwa32.exe 868 igfxwa32.exe 1516 igfxwa32.exe 1516 igfxwa32.exe 2756 igfxwa32.exe 2756 igfxwa32.exe 2980 igfxwa32.exe 2980 igfxwa32.exe 1320 igfxwa32.exe 1320 igfxwa32.exe 484 igfxwa32.exe 484 igfxwa32.exe 2332 igfxwa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2572 wrote to memory of 1996 2572 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 31 PID 2572 wrote to memory of 1996 2572 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 31 PID 2572 wrote to memory of 1996 2572 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 31 PID 2572 wrote to memory of 1996 2572 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 31 PID 2572 wrote to memory of 1996 2572 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 31 PID 2572 wrote to memory of 1996 2572 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 31 PID 2572 wrote to memory of 1996 2572 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 31 PID 1996 wrote to memory of 2408 1996 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 32 PID 1996 wrote to memory of 2408 1996 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 32 PID 1996 wrote to memory of 2408 1996 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 32 PID 1996 wrote to memory of 2408 1996 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 32 PID 2408 wrote to memory of 2716 2408 igfxwa32.exe 33 PID 2408 wrote to memory of 2716 2408 igfxwa32.exe 33 PID 2408 wrote to memory of 2716 2408 igfxwa32.exe 33 PID 2408 wrote to memory of 2716 2408 igfxwa32.exe 33 PID 2408 wrote to memory of 2716 2408 igfxwa32.exe 33 PID 2408 wrote to memory of 2716 2408 igfxwa32.exe 33 PID 2408 wrote to memory of 2716 2408 igfxwa32.exe 33 PID 2716 wrote to memory of 2864 2716 igfxwa32.exe 34 PID 2716 wrote to memory of 2864 2716 igfxwa32.exe 34 PID 2716 wrote to memory of 2864 2716 igfxwa32.exe 34 PID 2716 wrote to memory of 2864 2716 igfxwa32.exe 34 PID 2864 wrote to memory of 2836 2864 igfxwa32.exe 35 PID 2864 wrote to memory of 2836 2864 igfxwa32.exe 35 PID 2864 wrote to memory of 2836 2864 igfxwa32.exe 35 PID 2864 wrote to memory of 2836 2864 igfxwa32.exe 35 PID 2864 wrote to memory of 2836 2864 igfxwa32.exe 35 PID 2864 wrote to memory of 2836 2864 igfxwa32.exe 35 PID 2864 wrote to memory of 2836 2864 igfxwa32.exe 35 PID 2836 wrote to memory of 2936 2836 igfxwa32.exe 36 PID 2836 wrote to memory of 2936 2836 igfxwa32.exe 36 PID 2836 wrote to memory of 2936 2836 igfxwa32.exe 36 PID 2836 wrote to memory of 2936 2836 igfxwa32.exe 36 PID 2936 wrote to memory of 788 2936 igfxwa32.exe 37 PID 2936 wrote to memory of 788 2936 igfxwa32.exe 37 PID 2936 wrote to memory of 788 2936 igfxwa32.exe 37 PID 2936 wrote to memory of 788 2936 igfxwa32.exe 37 PID 2936 wrote to memory of 788 2936 igfxwa32.exe 37 PID 2936 wrote to memory of 788 2936 igfxwa32.exe 37 PID 2936 wrote to memory of 788 2936 igfxwa32.exe 37 PID 788 wrote to memory of 1680 788 igfxwa32.exe 38 PID 788 wrote to memory of 1680 788 igfxwa32.exe 38 PID 788 wrote to memory of 1680 788 igfxwa32.exe 38 PID 788 wrote to memory of 1680 788 igfxwa32.exe 38 PID 1680 wrote to memory of 300 1680 igfxwa32.exe 39 PID 1680 wrote to memory of 300 1680 igfxwa32.exe 39 PID 1680 wrote to memory of 300 1680 igfxwa32.exe 39 PID 1680 wrote to memory of 300 1680 igfxwa32.exe 39 PID 1680 wrote to memory of 300 1680 igfxwa32.exe 39 PID 1680 wrote to memory of 300 1680 igfxwa32.exe 39 PID 1680 wrote to memory of 300 1680 igfxwa32.exe 39 PID 300 wrote to memory of 1944 300 igfxwa32.exe 40 PID 300 wrote to memory of 1944 300 igfxwa32.exe 40 PID 300 wrote to memory of 1944 300 igfxwa32.exe 40 PID 300 wrote to memory of 1944 300 igfxwa32.exe 40 PID 1944 wrote to memory of 2548 1944 igfxwa32.exe 41 PID 1944 wrote to memory of 2548 1944 igfxwa32.exe 41 PID 1944 wrote to memory of 2548 1944 igfxwa32.exe 41 PID 1944 wrote to memory of 2548 1944 igfxwa32.exe 41 PID 1944 wrote to memory of 2548 1944 igfxwa32.exe 41 PID 1944 wrote to memory of 2548 1944 igfxwa32.exe 41 PID 1944 wrote to memory of 2548 1944 igfxwa32.exe 41 PID 2548 wrote to memory of 2840 2548 igfxwa32.exe 42 PID 2548 wrote to memory of 2840 2548 igfxwa32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Users\Admin\AppData\Local\Temp\F7DB23~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Users\Admin\AppData\Local\Temp\F7DB23~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2744 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1756 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1844 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:868 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1516 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2756 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1320 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:484 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe32⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179KB
MD5f7db238e7c083d3cc0b4c482dc6cebea
SHA13b7e846bb2d6df654a680fc0a56fc9c0ea2c86a5
SHA2567a5ccbef0a7db83971af93eb550fe0e58543a92bc24f791c13363bc683dc545d
SHA5125dbec22963306fd67a8787063ff38b7954934c98d3ff53629e131b67671106b7a9e1807811817408ba990cb70bc0e5e5ca8f077e2c061ebcf80a36b49239c0ad