Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe
-
Size
179KB
-
MD5
f7db238e7c083d3cc0b4c482dc6cebea
-
SHA1
3b7e846bb2d6df654a680fc0a56fc9c0ea2c86a5
-
SHA256
7a5ccbef0a7db83971af93eb550fe0e58543a92bc24f791c13363bc683dc545d
-
SHA512
5dbec22963306fd67a8787063ff38b7954934c98d3ff53629e131b67671106b7a9e1807811817408ba990cb70bc0e5e5ca8f077e2c061ebcf80a36b49239c0ad
-
SSDEEP
3072:btOpuhG58eziMhEqj36FGyKnHbESMb8vND5bDZaHkjSq2:3Qzk4KFGyKnHuwvHbVaH42
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation igfxwa32.exe -
Deletes itself 1 IoCs
pid Process 964 igfxwa32.exe -
Executes dropped EXE 29 IoCs
pid Process 2008 igfxwa32.exe 964 igfxwa32.exe 1772 igfxwa32.exe 4300 igfxwa32.exe 1536 igfxwa32.exe 3592 igfxwa32.exe 2428 igfxwa32.exe 516 igfxwa32.exe 2844 igfxwa32.exe 2912 igfxwa32.exe 2200 igfxwa32.exe 3012 igfxwa32.exe 1028 igfxwa32.exe 3228 igfxwa32.exe 3896 igfxwa32.exe 4376 igfxwa32.exe 3416 igfxwa32.exe 2896 igfxwa32.exe 800 igfxwa32.exe 2556 igfxwa32.exe 1088 igfxwa32.exe 3036 igfxwa32.exe 4712 igfxwa32.exe 4092 igfxwa32.exe 1052 igfxwa32.exe 3500 igfxwa32.exe 4060 igfxwa32.exe 1336 igfxwa32.exe 3736 igfxwa32.exe -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwa32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\ igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File opened for modification C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe File created C:\Windows\SysWOW64\igfxwa32.exe igfxwa32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 4480 set thread context of 2960 4480 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 82 PID 2008 set thread context of 964 2008 igfxwa32.exe 91 PID 1772 set thread context of 4300 1772 igfxwa32.exe 93 PID 1536 set thread context of 3592 1536 igfxwa32.exe 97 PID 2428 set thread context of 516 2428 igfxwa32.exe 99 PID 2844 set thread context of 2912 2844 igfxwa32.exe 101 PID 2200 set thread context of 3012 2200 igfxwa32.exe 103 PID 1028 set thread context of 3228 1028 igfxwa32.exe 105 PID 3896 set thread context of 4376 3896 igfxwa32.exe 107 PID 3416 set thread context of 2896 3416 igfxwa32.exe 109 PID 800 set thread context of 2556 800 igfxwa32.exe 111 PID 1088 set thread context of 3036 1088 igfxwa32.exe 113 PID 4712 set thread context of 4092 4712 igfxwa32.exe 115 PID 1052 set thread context of 3500 1052 igfxwa32.exe 117 PID 4060 set thread context of 1336 4060 igfxwa32.exe 119 -
resource yara_rule behavioral2/memory/2960-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2960-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2960-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2960-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2960-37-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/964-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/964-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/964-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/964-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4300-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3592-63-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/516-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2912-77-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3012-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3228-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4376-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2896-104-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2556-111-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3036-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4092-128-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3500-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1336-144-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwa32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwa32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 2960 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 2960 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 2960 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 2960 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 964 igfxwa32.exe 964 igfxwa32.exe 964 igfxwa32.exe 964 igfxwa32.exe 4300 igfxwa32.exe 4300 igfxwa32.exe 4300 igfxwa32.exe 4300 igfxwa32.exe 3592 igfxwa32.exe 3592 igfxwa32.exe 3592 igfxwa32.exe 3592 igfxwa32.exe 516 igfxwa32.exe 516 igfxwa32.exe 516 igfxwa32.exe 516 igfxwa32.exe 2912 igfxwa32.exe 2912 igfxwa32.exe 2912 igfxwa32.exe 2912 igfxwa32.exe 3012 igfxwa32.exe 3012 igfxwa32.exe 3012 igfxwa32.exe 3012 igfxwa32.exe 3228 igfxwa32.exe 3228 igfxwa32.exe 3228 igfxwa32.exe 3228 igfxwa32.exe 4376 igfxwa32.exe 4376 igfxwa32.exe 4376 igfxwa32.exe 4376 igfxwa32.exe 2896 igfxwa32.exe 2896 igfxwa32.exe 2896 igfxwa32.exe 2896 igfxwa32.exe 2556 igfxwa32.exe 2556 igfxwa32.exe 2556 igfxwa32.exe 2556 igfxwa32.exe 3036 igfxwa32.exe 3036 igfxwa32.exe 3036 igfxwa32.exe 3036 igfxwa32.exe 4092 igfxwa32.exe 4092 igfxwa32.exe 4092 igfxwa32.exe 4092 igfxwa32.exe 3500 igfxwa32.exe 3500 igfxwa32.exe 3500 igfxwa32.exe 3500 igfxwa32.exe 1336 igfxwa32.exe 1336 igfxwa32.exe 1336 igfxwa32.exe 1336 igfxwa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 2960 4480 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 82 PID 4480 wrote to memory of 2960 4480 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 82 PID 4480 wrote to memory of 2960 4480 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 82 PID 4480 wrote to memory of 2960 4480 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 82 PID 4480 wrote to memory of 2960 4480 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 82 PID 4480 wrote to memory of 2960 4480 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 82 PID 4480 wrote to memory of 2960 4480 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 82 PID 2960 wrote to memory of 2008 2960 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 87 PID 2960 wrote to memory of 2008 2960 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 87 PID 2960 wrote to memory of 2008 2960 f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe 87 PID 2008 wrote to memory of 964 2008 igfxwa32.exe 91 PID 2008 wrote to memory of 964 2008 igfxwa32.exe 91 PID 2008 wrote to memory of 964 2008 igfxwa32.exe 91 PID 2008 wrote to memory of 964 2008 igfxwa32.exe 91 PID 2008 wrote to memory of 964 2008 igfxwa32.exe 91 PID 2008 wrote to memory of 964 2008 igfxwa32.exe 91 PID 2008 wrote to memory of 964 2008 igfxwa32.exe 91 PID 964 wrote to memory of 1772 964 igfxwa32.exe 92 PID 964 wrote to memory of 1772 964 igfxwa32.exe 92 PID 964 wrote to memory of 1772 964 igfxwa32.exe 92 PID 1772 wrote to memory of 4300 1772 igfxwa32.exe 93 PID 1772 wrote to memory of 4300 1772 igfxwa32.exe 93 PID 1772 wrote to memory of 4300 1772 igfxwa32.exe 93 PID 1772 wrote to memory of 4300 1772 igfxwa32.exe 93 PID 1772 wrote to memory of 4300 1772 igfxwa32.exe 93 PID 1772 wrote to memory of 4300 1772 igfxwa32.exe 93 PID 1772 wrote to memory of 4300 1772 igfxwa32.exe 93 PID 4300 wrote to memory of 1536 4300 igfxwa32.exe 95 PID 4300 wrote to memory of 1536 4300 igfxwa32.exe 95 PID 4300 wrote to memory of 1536 4300 igfxwa32.exe 95 PID 1536 wrote to memory of 3592 1536 igfxwa32.exe 97 PID 1536 wrote to memory of 3592 1536 igfxwa32.exe 97 PID 1536 wrote to memory of 3592 1536 igfxwa32.exe 97 PID 1536 wrote to memory of 3592 1536 igfxwa32.exe 97 PID 1536 wrote to memory of 3592 1536 igfxwa32.exe 97 PID 1536 wrote to memory of 3592 1536 igfxwa32.exe 97 PID 1536 wrote to memory of 3592 1536 igfxwa32.exe 97 PID 3592 wrote to memory of 2428 3592 igfxwa32.exe 98 PID 3592 wrote to memory of 2428 3592 igfxwa32.exe 98 PID 3592 wrote to memory of 2428 3592 igfxwa32.exe 98 PID 2428 wrote to memory of 516 2428 igfxwa32.exe 99 PID 2428 wrote to memory of 516 2428 igfxwa32.exe 99 PID 2428 wrote to memory of 516 2428 igfxwa32.exe 99 PID 2428 wrote to memory of 516 2428 igfxwa32.exe 99 PID 2428 wrote to memory of 516 2428 igfxwa32.exe 99 PID 2428 wrote to memory of 516 2428 igfxwa32.exe 99 PID 2428 wrote to memory of 516 2428 igfxwa32.exe 99 PID 516 wrote to memory of 2844 516 igfxwa32.exe 100 PID 516 wrote to memory of 2844 516 igfxwa32.exe 100 PID 516 wrote to memory of 2844 516 igfxwa32.exe 100 PID 2844 wrote to memory of 2912 2844 igfxwa32.exe 101 PID 2844 wrote to memory of 2912 2844 igfxwa32.exe 101 PID 2844 wrote to memory of 2912 2844 igfxwa32.exe 101 PID 2844 wrote to memory of 2912 2844 igfxwa32.exe 101 PID 2844 wrote to memory of 2912 2844 igfxwa32.exe 101 PID 2844 wrote to memory of 2912 2844 igfxwa32.exe 101 PID 2844 wrote to memory of 2912 2844 igfxwa32.exe 101 PID 2912 wrote to memory of 2200 2912 igfxwa32.exe 102 PID 2912 wrote to memory of 2200 2912 igfxwa32.exe 102 PID 2912 wrote to memory of 2200 2912 igfxwa32.exe 102 PID 2200 wrote to memory of 3012 2200 igfxwa32.exe 103 PID 2200 wrote to memory of 3012 2200 igfxwa32.exe 103 PID 2200 wrote to memory of 3012 2200 igfxwa32.exe 103 PID 2200 wrote to memory of 3012 2200 igfxwa32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7db238e7c083d3cc0b4c482dc6cebea_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Users\Admin\AppData\Local\Temp\F7DB23~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Users\Admin\AppData\Local\Temp\F7DB23~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3228 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4376 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3416 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2556 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3036 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4092 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3500 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1336 -
C:\Windows\SysWOW64\igfxwa32.exe"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe31⤵
- Executes dropped EXE
PID:3736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179KB
MD5f7db238e7c083d3cc0b4c482dc6cebea
SHA13b7e846bb2d6df654a680fc0a56fc9c0ea2c86a5
SHA2567a5ccbef0a7db83971af93eb550fe0e58543a92bc24f791c13363bc683dc545d
SHA5125dbec22963306fd67a8787063ff38b7954934c98d3ff53629e131b67671106b7a9e1807811817408ba990cb70bc0e5e5ca8f077e2c061ebcf80a36b49239c0ad